Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An...
-
Upload
ashley-thomas -
Category
Documents
-
view
214 -
download
1
Transcript of Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An...
Author: Andy Reed ftp://topsurf.co.uk/reed
FdSc IT/Computer Networking & IT(e-commerce)
Communications Network ManagementAn Introduction to Security
Author: Andy Reed ftp://topsurf.co.uk/reed
Data Security
Computer security is the protection of a company’s assets by ensuring the safe, uninterrupted operation of the system and the safeguarding of its computer, programs and data files.
Pro. H J Highland. State University of New York
Author: Andy Reed ftp://topsurf.co.uk/reed
Areas for Discussion (Term 1)
• System Security• Network Security• Data Security• Authentication• Malware• Security Controls• Implementation levels• Legal Issues
Author: Andy Reed ftp://topsurf.co.uk/reed
Is there a real need for security?
The Internet and the networked system has become the focal point for a variety of criminal and/or malicious activity, such as:
• Malware i.e. Viruses, Worms, Trojan Horses
• Fraud, Theft, Malicious Damage• Masquerading, Spoofing• Espionage, Terrorism• Obscenities, Profanities
Author: Andy Reed ftp://topsurf.co.uk/reed
Corporate security: what is needed?
For many organisations there will be a number of security concerns, each of these with there own specific security requirements:
• Schools, Colleges and Universities• Financial establishments• Government offices• Hospitals• E-commerce• Military installations
Author: Andy Reed ftp://topsurf.co.uk/reed
Common Threats
• Students records (Add, delete or improve exam grades)
• Confidential or personal information• Payroll, accounts department• Accidental damage of data• Fire• Flood• Theft
Author: Andy Reed ftp://topsurf.co.uk/reed
Common Threats
• Medical records• Historical records• Sensitive military information• Payment transactions• Banking account information• Physical assets• Personnel
Author: Andy Reed ftp://topsurf.co.uk/reed
Data Security
Security concerns and requirements can be measured in a number of different ways.
• Data Availability• Personal accountability• Data integrity• Data or personal confidentiality
Author: Andy Reed ftp://topsurf.co.uk/reed
Confidentiality
• Prevention of unauthorised information disclosure.
• Data access must be restricted to only authorised Personnel who hold a valid ‘Need to know’.
• The seriousness of the disclosure is often dictated by whether it occurs to an unauthorised member of the same organisation or a total outsider.
Author: Andy Reed ftp://topsurf.co.uk/reed
Integrity
• This could refer to either the organisation, the system, the data or all.
• The user must have confidence that:• The same information can be retrieved as
was originally entered.• Internal processes work as expected or
claimed. • May be compromised as a result of accidental
error or malicious activity.
Author: Andy Reed ftp://topsurf.co.uk/reed
Availability
• Systems or data should be accessible and fit for purpose on demand by an authorised entity.
• Availability encompasses:• The prevention of unauthorised withholding of
information or resources.• Safeguards against system failure.
• The seriousness of denial of service generally increases proportionally to the period of unavailability
Author: Andy Reed ftp://topsurf.co.uk/reed
Accountability
• The property that ensures that the actions of an entity may be traced uniquely to that entity.
• This may be encompassed by monitoring:• System behaviour• Staff activity
What connotations can employee monitoring schemes have?
Author: Andy Reed ftp://topsurf.co.uk/reed
Terminology
• Asset• Threat• Vulnerability• Physical• Procedural or personnel policy. Logical /
system / technical
Author: Andy Reed ftp://topsurf.co.uk/reed
Terminology (cont)
• Risk• Countermeasure• Impact• Baseline security
Author: Andy Reed ftp://topsurf.co.uk/reed
Asset
An asset is generally considered as an entity of value, such as:
• Data• Financial: Stocks, shares or bonds• Physical• Personnel
Author: Andy Reed ftp://topsurf.co.uk/reed
Threat
A threat is an unwanted deliberate, malicious or accidental act that may result in damage, depletion or harm to an asset:
• virus• Flood• Theft• Fire
Author: Andy Reed ftp://topsurf.co.uk/reed
Vulnerability
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security.
• Weak password authentication• Out of data antivirus• External penetration• Un-secure channels
Author: Andy Reed ftp://topsurf.co.uk/reed
Physical Security
The risk to or risk from a physical entity. This could be to either data, hardware/software or personnel. measures that must be taken to prevent theft, vandalism, and other types of harm to the technology equipment
• Personal safety • Lock, doors and secure rooms• ID tags• Infrared tag
Author: Andy Reed ftp://topsurf.co.uk/reed
Procedural Policy
Procedural measures taken to prevent a disaster, such as safety inspections, fire drills, security awareness programs, timing of planned security actions.
• Enforce user policies (no post-its)• Plan for disaster recovery• Maintenance schemes for hardware and
software
Author: Andy Reed ftp://topsurf.co.uk/reed
Risk
The probability that a particular threat will accidentally trigger or intentionally exploit a particular information system vulnerability and the resulting impact if this should occur.
Probability:
P = probability
A = event
P(A) = The Number Of Ways Event A Can Occur
The Total Number Of Possible Outcomes
Author: Andy Reed ftp://topsurf.co.uk/reed
Risk Assessment Cycle
www.microsoft.con Security Risk Management
Author: Andy Reed ftp://topsurf.co.uk/reed
Risk Assessment
Risk assessment is an ongoing event throughout the organisations lifetime. Some steps in the risk assessment cycle are:
• Identify potential risks that could harm or hinder operational procedure, data or personnel
• Estimate the probability of such events occurring
Author: Andy Reed ftp://topsurf.co.uk/reed
Risk Assessment
• Estimating the most critical and sensitive assets and the potential financial loss, including recovery costs.
• Identify the most cost affective approach to implementing security procedures
• Develop an action plan for security proposals
Author: Andy Reed ftp://topsurf.co.uk/reed
Risk Assessment
• Implement security procedures• Monitor the programme for effectiveness• Identify potential risks that could harm or hinder
operational procedure, data or personnel• Continue the cycle
Author: Andy Reed ftp://topsurf.co.uk/reed
Countermeasure
An action or restraint on the system designed to enhance security by reducing the risk of an attack, by reducing either the threat or the vulnerability.
• Password time outs• Intrusion detection systems• Enhancing security requirements to meet the
threat• P:P:P:P:P:P:P
Author: Andy Reed ftp://topsurf.co.uk/reed
Impact
The resultant after effects of a successful security breach via a threat or vulnerability. The impact will almost certainly generate unwanted outcomes or consequences.
Author: Andy Reed ftp://topsurf.co.uk/reed
Consequences
• Financial Loss• Embarrassment• Breach of Commercial Confidentiality• Breach of Personal Privacy• Legal Liability• Disruption to Activities• Threat to Personal safety
Author: Andy Reed ftp://topsurf.co.uk/reed
Legal Issues
It is important to have an understanding of legal issues relating to security. Setting stringent security policies without a basic understanding of the legal implications could prove costly.
• ICT and the Law covered in later lectures, but for now:
Author: Andy Reed ftp://topsurf.co.uk/reed
Table of UK Statutes
• Computer Misuse Act 1990• Contracts (Rights of Third Parties) Act 1999• Copyright, Designs and Patents Act 1988• Criminal Justice and Public Order Act 1994• Data protection Act 1998• Defamation Act 1996• Electronics Communications Act 2000• Obscene Publications Act 1964
Author: Andy Reed ftp://topsurf.co.uk/reed
Table of UK Statutes (cont)
• Protection of Children Act 1978• Sale of Goods Act 1979• Supply of Goods and Services Act 1982• Telecommunications Act 1994• Trade Descriptions Act 1968• Trade Marks Act 1994• Unfair Contract Terms Act 1977
Author: Andy Reed ftp://topsurf.co.uk/reed
Conclusion
• 100% security is not an achievable objective.• Threats are real and present, addresses them.• Security costs money, lack of security costs
more• Understand the legal standing of the
organisation.• Determine the appropriate level of security for
the assets held.
Author: Andy Reed ftp://topsurf.co.uk/reed
Conclusions
• Risk assessment should be a cyclic progression• 99.999% security is said to be considered
desirable• Organisations have a legal obligation to protect
third party assets, data or employee confidentiality.
• Useful to understand how the Law fits in to the domain of ICT data security