Introduction to Computer Security PowerPoint Presentation

Introduction to Computer Security PowerPoint Presentation

2015-09-23 82K 82 0 0

Description

Introduction to Computer Security. Books:. An . Inroduction. to Computer Security: The NIST Handbook. Johannes . Buchmann. : Introduction to Cryptography. Douglas Stinson: Cryptography Theory and Practice. ID: 137573

Embed code:

Download this presentation



DownloadNote - The PPT/PDF document "Introduction to Computer Security" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentations text content in Introduction to Computer Security

Slide1

Introduction to Computer Security

Slide2

Introduction to Computer Security

Books:

An

Inroduction

to Computer Security: The NIST Handbook

Johannes

Buchmann

: Introduction to Cryptography

Douglas Stinson: Cryptography Theory and Practice

Slide3

I. Outline of the semester

Term of computer security

Elements of computer security

Three major security controls:

Administrative

controls,

Physical

controls,

Algorithmic

controls

:

Cryptography – encryption (symmetric, asymmetric), hash functions, digital signatures, message authentication codes, identification, key exchange etc.

Slide4

II. Computer Security

The protection afforded to an automated information system in order to attain the applicable objectives of

preserving the integrity, availability and confidentiality of information system resources

(includes hardware, software, information/data

)

Slide5

II. Computer Security

Integrity:

data integrity: Requirement that

information and programs

are changed only in a specified and authorized manner

system integrity: Requirement that a

system

performs its intended function free from unauthorized manipulation

Slide6

II. Computer Security

Availability:

Requirement intended to assure that systems work promptly and service is not denied to authorized users.

Confidentiality:

Requirement that private or confidential information not be disclosed to unauthorized individuals.

Slide7

II. Elements of Computer Security

Computer security supports the mission of the organization

Computer security is an integral element of sound management

Computer security should be cost-effective

Computer security responsibilities should be made explicit

System owners have computer security responsibilities outside their own organizations

Computer security requires a comprehensive and integrated approach

Computer security should be periodically reassessed

Computer security is constrained by societal factors

Slide8

II. Computer security supports the mission of the organization

Computer security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.

No complete security

protecting important assets

usually security is secondary (making profit, providing good service etc. is primary)

Management should understand their mission and how their information system supports it.

 security requirements are defined

Interorganizational

systems e.g.: good security of buyers system also benefits the seller

Slide9

II. Computer security is an integral element of sound management

Information and computer systems are often critical assets that support the mission of an organization. Protecting them can be as critical as protecting other organizational resources (e.g. money, physical assets, employees)

Managers should decide about the level of risk they are willing to accept.

Slide10

II. Computer security should be cost-effective

Ensure that the cost of controls does not exceed expected benefits.

Direct costs: purchasing, installing and administering security systems

Indirect costs: Security systems can sometimes affect system performance, employee morale or retraining requirements.

Slide11

II. Computer security responsibilities should be made explicit

Document that states organization policy and make explicit computer security responsibilities

Responsibilities may be internal to an organization or may extend across organizational boundaries

.

Slide12

II. Computer security requires a comprehensive and integrated approach

Interdependencies of security controls –

Administrative

,

physic

al

and

algorithmic

controls work together

interdependancies

e.g.: training on how to use a secure system

Other i

nterdependencies – system management, legal issues, quality assurance

Slide13

II. Computer security should be periodically reassessed

Computers and the environments they operate in are dynamic

 security requirements are ever-changing

Changes in the system or the environment can create new vulnerabilities  necessary to reassess periodically

Slide14

II. Computer security is constrained by societal factors

Security may be limited by social issues

e.g. security vs. privacy (identification, tracking actions)

Slide15

III. Roles and Responsibilities

Whose responsibility is it?

Senior management

Computer Security Management

Program and Functional Managers/Application owners

Technology providers

Supporting organizations

Users

Slide16

III. Senior management

Senior management – ultimate responsibility

They establish the organization’s computer security program to support the mission of the organization.

They are responsible for setting a good example for their employees

Slide17

III. Computer Security Management

Directs the organization’s day-to-day management of its computer security program

Responsible for coordinating all security-related interactions among organizational elements.

Slide18

III. Program and Functional Managers/Application owners

Responsible for a program or function including the supporting computer system.

These officials are usually assisted by technical staff

.

Slide19

III. Technology providers

Managers and technicians who design and operate computer systems.

They are responsible for implementing technical security on computer systems.

Responsible for being familiar with security technology that relates to their system.

Responsible for analyzing technical vulnerabilities.

Telecommunications – providing communication services (fax, voice, etc.)

Help desk – recognize security incidents and refer the caller to the appropriate person or organization for a response

Slide20

III. Supporting organizations

Audit – Auditors are responsible for examining systems whether the system is meeting stated security requirements.

Quality assurance – Responsible for improving the products and services, how computer security can be used to improve the quality.

Training office – Responsible for training users, operators, managers in computer security.

Risk Management – Responsible for studying all types of risks including computer security-related risks.

Slide21

III. Users

Users of information

Individuals who use information provided by the computer system. They may read computer-prepared reports etc.

Users of systems

Individuals who directly use computer systems, responsible for following security procedures, reporting security problems, attending security training.

Slide22

IV. Threats

Threats range from errors harming database integrity to fires destroying entire computer centers

Threats from the actions of trusted

empl

o

yees

, outside hackers, careless data entry clerks etc.

Attack confidentiality, integrity of data or availability of a system

Slide23

IV. Threats

Knowledge of threat environment is necessary for system manager to implement the most cost-effective security measures.

It might be more cost-effective to simply tolerate the expected losses

 risk analysis

Slide24

IV. Errors and omissions

Threat to data and system integrity

Made by users who create and edit data

 training can help

Large percentage of threats

Contribute directly or indirectly to security problems

Slide25

IV. Errors and omissions

Directly

: data entry error or programming error that crashes a system

Indirectly

: errors create vulnerabilities

Errors in programming are called

bug

s

Installation and maintenance errors

security vulnerabilities

Slide26

IV. Fraud and theft

Automating traditional methods of fraud and theft

E.g.: financial systems are at risk, systems that control access to any resource (inventory systems etc.)

Insiders (former employees also) are in a better position

,

outsiders

Hardware and software are vulnerable to theft

Slide27

IV. Employee sabotage

Employees know what actions might cause the most damage

Employee sabotage is believed to be much smaller than the instances of theft, but the cost of such incidents can be quite high

.

Slide28

IV. Loss of physical and Infrastructure support

Includes power failures, loss of communication, water leaks, lack of transportation service, fire, flood etc.

Loss of infrastructure often results in unexpected ways

Slide29

IV. Malicious hackers/crackers

A

hacker

breaks into computers and computer networks, either for profit or motivated by the challenge

.

Black hat (

crackers

)

hackers

:

for malicious reasons such as vandalism, credit card fraud, identity theft, piracy, or other types of illegal activity

White hat

hackers

:

for non-malicious reasons, for instance testing their own security system

Grey hat

hackers

:

combination of a Black Hat and a White Hat Hacker

(

repair the system for a small fee

)

Slide30

IV. Malicious hackers/crackers

Losses due to hacker attacks are significantly smaller than losses due to insider theft and sabotage, the hacker problem is widespread and serious.

Receive more attention: hacker threat is a more recently encountered threat, organizations do not know the purpose of a hacker (browse, steal, damage, etc.)

 no limitations, hackers’ identity is unknown (case of painter and burglar)

Slide31

IV. Industrial espionage

Gathering proprietary data from private companies or the government for the purpose of aiding another company.

Goal is to improve their competitive advantage .

Since information is processed and stored on computer systems, computer security can help. (employees may sell information)

E.g.: pricing information, product development, customer lists, sales data, cost data, strategic plans

Slide32

IV. Malicious code

Virus:

A code segment that replicates by attaching copies of itself to existing executables. The new copy of the virus is executed when a user executes the new host program.

Trojan horse:

A program that performs a desired task, but that also includes unexpected functions. They steals information, harm the system and do not replicate themselves.

Slide33

IV. Malicious code

Worm:

A self-replicating program that is self-contained and does not require a host program. The program creates a copy of itself and causes it to execute, no user intervention is required. Sometimes just consume

bandwith

.

Slide34

IV. Threats to personal privacy

Electronic information about individuals by governments, credit bureaus, private companies, etc. have created a threat to individual privacy.

Often referred to „Big Brother”.

Federal and state employees have sold personal information collected by the government. (1992, USA)

Slide35

V. Administrative controls – Risk management

Risk

is the possibility of something adverse happening.

Risk management

is the process of assessing risk, taking steps to reduce risk to an acceptable level and maintaining that level of risk.

Computer security risk management

addresses risks which arise from an organization’s use of information technology.

Slide36

V. Administrative controls – Risk management

E.g.

:

To maximize the return on their investments, businesses must often decide between aggressive (but high-risk) and slow-growth (but more secure) investment plans. These decisions require analysis of risk.

 Management decides

There is always risk. (from trusted employees or fire etc.)

Risk management is made up of three activities:

risk assessment, risk mitigation

and

uncertainty analysis

Slide37

V. Administrative controls – Risk management – Risk assessment

Risk assessment: Process of analyzing and interpreting risk

Basic activities:

determining the assessment’s scope and methodology

Collecting and analyzing data

Interpreting the risk analysis results

Slide38

V. Administrative controls – Risk management – Risk mitigation

Selecting safeguards

Method of selecting safeguards: what if analysis to test what difference each makes with regard to cost, effectiveness and other factors

E.g.: what if passwords are strengthened? Personnel may be required to change passwords more frequently. There are no direct monetary expenditure, but staff and administrative overhead is increased.

Slide39

V. Administrative controls – Risk management – Uncertainty analysis

Risk management often must rely on speculation, best guesses, incomplete data, and many unproven assumptions.

Sources of uncertainty: lack of confidence or precision in the risk management model or lack of sufficient information to determine the exact value of the elements of the risk model

Slide40

VI. Computer Support and Operations (Regulations)

This includes both system administration and

tasks external to the system that support its

operation (e.g., maintaining documentation).

It does not include system planning or design.

Support and operations are

routine activities that enable computer systems to function correctly.

(

e.g. fixing

software or hardware problems

,

maintaining software

)

Slide41

VI. Computer Support and Operations

User Support

:

through a Help Desk

which problems

are security-related

they may not be aware of the

"whole picture„

Software

Support

:

controlling what software is used on a system

( must

not

load

any

)

ensure

th

e

software has not been modified

without proper authorization

(

This can be done with a combination of

logical and physical access controls.

)

Slide42

VI. Computer Support and Operations

Configuration

Management

:

process of keeping track

of changes to the system and, if needed, approving them

the security goal is to know what

changes occur, not to prevent security from

being changed

Backups

:

Support and operations personnel and

sometimes users back up software and data

Frequency of backups will depend

upon how often data changes and how

important those changes are.

Finally,

backups should be stored securely

Slide43

VI. Computer Support and Operations

Logging

:

to support

accountability

Control

numbers (or other tracking data), the times and dates of transfers, names and signatures of

individuals involved, and other relevant information

Integrity Verification:

no modification

error detection and correction, cryptographic-based technologies

Slide44

VII. Physical and environmental security

Physical Access Protection

:

Media can be stolen, destroyed, replaced with a look-alike copy, or lost.

Physical access controls,

which can limit these problems, include locked doors, desks, file cabinets, or safes.

Environmental Protection:

media

should

be

protected

against

heat

,

liquids

,

dust

etc.

Disposition

The

process of removing information from media

is called sanitization.

e.g

.:

overwriting, destruction

by shredding or burning

Slide45

VII. Physical and environmental security

refers to

measures taken to protect systems, buildings,

and related supporting infrastructure against

threats associated with their physical

environment

three

areas:

the building, other structure, or vehicle housing the system

and network components

;

determine the level of

such physical threats as fire, roof leaks, or unauthorized access

facility's general geographic operating location determines the characteristics of

natural threats, which include earthquakes and flooding

;

man-made threats such as burglary

or

damaging nearby

activities, including toxic chemical spills, explosions, fires, and electromagnetic interference

system's operation usually depends on supporting facilities such

as electric power, heating and air conditioning, and telecommunications.

Slide46

VII. Physical and environmental security

Interception of Data

Direct

Observation

-

terminal and workstation display screens

Interception

of Data

Transmissions

-

access to data transmission lines

Electromagnetic

Interception

-

Systems routinely radiate electromagnetic energy that can be

detected with special-purpose radio receivers.

(

TEMPEST

attack

)

Slide47

Algorithmic Control – Identification, Entity authentication

Identification

is the means by which a user

provides a claimed identity to the system.

Entity authentication

is the means of establishing

the validity of this claim.

something the individual

knows

(

e.g

.:

password

, PIN)

something the individual

possesses

(

e.g

.: smart

card

,

token

)

something the individual

is

(

e.g

.:

biometric

)


About DocSlides
DocSlides allows users to easily upload and share presentations, PDF documents, and images.Share your documents with the world , watch,share and upload any time you want. How can you benefit from using DocSlides? DocSlides consists documents from individuals and organizations on topics ranging from technology and business to travel, health, and education. Find and search for what interests you, and learn from people and more. You can also download DocSlides to read or reference later.