Security - PowerPoint PPT Presentation

About This Presentation
Title:

Security

Description:

Security is only about protecting 'things' We don't have any information anyone would want ... Our people won't tolerate tight security. My PC is secure, so ... – PowerPoint PPT presentation

Number of Views:207
Avg rating:3.0/5.0
Slides: 36
Provided by: albertsch
Learn more at: https://www.ou.edu
Category:
Tags: security

less

Transcript and Presenter's Notes

Title: Security


1
Security
2
Myths about Business Risksin the Information Age
  • Security is only about protecting things
  • We dont have any information anyone would want
  • Security problems have never happened here.
  • Firewalls provide enough security
  • Technology will solve the security problem
  • The enemy is outside
  • Our people wont tolerate tight security
  • My PC is secure, so Im secure
  • The Internet cant be used for secure
    communications

The Economist and Arthur Andersen
3
SECURITY
  • Deter
  • Detect
  • Minimize
  • Investigate
  • Recover

4
Security Risks
Internal External
5
Threats
  • Disaster and breakdowns
  • Access and disclosure
  • Alteration or destruction
  • Improper use

6
RISK ASSESSMENT
  • P1 Probability of attack
  • P2 Probability of success
  • L Cost of Loss
  • Expected Loss P1 P2 L
  • Minimize Threat Categories

7
Security Policy
  • Security is always a cost to efficiency. It must
    be promoted to be effective.
  • From the top
  • Before installing hardware
  • Politically charged

8
Writing a Security Policy
  • Assess the types of risks
  • Identify vulnerabilities
  • Analyze user needs
  • Write the policy
  • Develop change procedures
  • Plan implementation
  • Implement

9
Risk Areas
  • Integrity Risk
  • Access Risk
  • Availability Risk
  • Infrastructure Capability
  • Denial of service
  • Personnel Risk
  • Background checks
  • Segregation of duties
  • Terminated employees
  • Physical Access Risk
  • Disaster Risk
  • Disaster Recovery
  • Backup/hot sites

10
Integrity Risk
  • Risks associated with the authorization,
    completeness and accuracy of transactions
  • User interface
  • Processing
  • Error Processing
  • Interfaces with other systems/databases
  • Change Management
  • Data
  • Privacy
  • Backup

11
Access Risk
  • Risks associated with inappropriate access to
    systems or data
  • Identification, authentication and nonrepudiation
  • What you know, what you have, what you are
  • Encryption (algorithm and key)
  • Secret key, private/public key
  • smart cards, hardware tokens
  • Digital Signature (hashing and public key
    encrypt with private key, send with private key,
    and then decode with public key)
  • Certification authority and digital certificates
  • Security Protocols
  • Firewalls and Guards

12
Elements of Risk
Asset
Threat
Access
13
Administrative ControlsLimit the Threat
  • Standards, rules, procedures and discipline to
    assure that personnel abide by established
    policies. Includes segregation of functions.

14
Administrative Controls
  • Security organization
  • Audits
  • Risk assessment
  • Administrative standards and procedures

15
Protecting the Assets
  • Resource management
  • Disaster recovery
  • System segregation

16
Resource Management
  • Backup planning
  • Job scheduling
  • Redundant design
  • Selective decoupling

17
Disaster Management
  • Redundancy and fault tolerant systems
  • Backups and off site storage
  • Hot and cold sites
  • Planning and procedures

18
Elements of Risk
Asset
Threat
Access
19
Access Control
  • Human environment
  • Policies and procedures
  • Technological solutions

20
Vulnerabilities
  • Servers
  • Securing operating systems and applications
  • Networks
  • Access protection from snooping, attacks,
    spoofing
  • Clients and modems
  • User verification for PCAnywhere etc.
  • Viruses

21
Operating Systems
  • UNIX
  • Novell Netware
  • Windows and Windows NT

22
Secure Operating Systems
  • U.S. Government Certification
  • A1, B1, B2, B3, C1, C2 (most commercial systems),
    D
  • Ease of use
  • CERT (Computer Emergency Response Team)
    www.cert.org

23
Top 12 SecurityRisks
  • 1. Hosts run unnecessary services
  • 3. Information leakage through network service
    programs
  • 4. Misuse of trusted access
  • 5. Misconfigured firewall access lists
  • 7. Misconfigured web servers
  • 10.Inadequate logging, monitoring or detecting

24
Top 12 Security Risks
  • 2. Unpatched, outdated or default configured
    software
  • 6. Weak Passwords
  • 8.Improperly exported file sharing services
  • 9. Misconfigured or unpatched Windows NT servers
  • 11.Unsecured remote access
  • 12.Lack of comprehensive policies and standards

25
Tools
  • Firewalls
  • Network partitioning and routers
  • Encryption
  • Testing tools
  • Consultants

26
Firewall functions
  • Packet Filter Blocks traffic based on IP
    address and/or port numbers.
  • Proxy Server Serves as a relay between two
    networks, breaking the connection between the
    two.
  • Network Address Translation (NAT) Hides the IP
    addresses of client stations in an internal
    network by presenting one IP address to the
    outside world.
  • Stateful Inspection Tracks the transaction in
    order to verify that the destination of an
    inbound packet matches the source of a previous
    outbound request. Generally can examine multiple
    layers of the protocol stack.

27
Firewall Operation
28
Firewall Operation
  • 1. A router sits between two
  • networks
  • 2. A programmer writes an access control list,
    which contains IP addresses that can be allowed
    onto the network.
  • 3. A message gets sent to the router. It checks
    the address against the access control list. If
    address the is on the list, it can go through.
  • 4. If the address isn't on the list, the message
    is denied access to the network.

29
Encryption
  • Keys and key length
  • Public key/private key
  • Processing problems
  • Location
  • Application
  • Network
  • Firewall
  • Link

30
Encryption Techniques
31
How Public Encryption Works
  • 1. Sue wants to send a message to Sam, so she
    finds his public key in a directory.
  • 2. Sue uses the public key to encrypt the message
    and send it to Sam.
  • 3. When the encrypted message arrives, Sam uses
    his private key to decrypt the data and read
    Sue's message.

32
Encryption at the Firewall
33
Authentication
  • Passwords
  • Credit cards
  • Biometrics
  • Isolation
  • Remote location verification

34
Biometrics how it works
  • Users "enroll" by having their fingerprints,
    irises, faces, signatures or voice prints
    scanned.
  • Key features are extracted and converted to
    unique templates, which are stored as encrypted
    numerical data.
  • Corresponding features presented by a would-be
    user are compared to the templates in the
    database.
  • Matches will rarely be perfect, and the owners of
    the system can vary a sensitivity threshhold so
    as to minimize either the rate of false
    rejections, which annoy users, or false
    acceptances, which jeopardize security. This
    offers far more flexibility than the binary "Yes"
    or "No" answers given by password technologies.

35
Common biometric techniques and how they rate
International Biometric Group, New York as
reported in Computerworld, Quick Study
Biometrics, 10/12/98
36
Security
37
Common Saboteurs Tools
  • Trojan Horse
  • Salami Techniques
  • Back Door/Trap Door
  • Time Bomb/Logic Bomb
  • Masquerade
  • Piggybacking
  • Scavenging
  • Viruses
  • Data Manipulations

38
Security Protocols
  • S-HTTP secures web transactions
  • SSL secures data packets at the network layer
  • S/MIME secures email attachments
  • S/WANN point-to-point encryption between
    firewalls and routers
  • SET secures credit card transactions
Write a Comment
User Comments (0)
About PowerShow.com