Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An...
-
Upload
ashley-thomas -
Category
Documents
-
view
214 -
download
1
Transcript of Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An...
![Page 1: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/1.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
FdSc IT/Computer Networking & IT(e-commerce)
Communications Network ManagementAn Introduction to Security
![Page 2: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/2.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Data Security
Computer security is the protection of a company’s assets by ensuring the safe, uninterrupted operation of the system and the safeguarding of its computer, programs and data files.
Pro. H J Highland. State University of New York
![Page 3: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/3.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Areas for Discussion (Term 1)
• System Security• Network Security• Data Security• Authentication• Malware• Security Controls• Implementation levels• Legal Issues
![Page 4: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/4.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Is there a real need for security?
The Internet and the networked system has become the focal point for a variety of criminal and/or malicious activity, such as:
• Malware i.e. Viruses, Worms, Trojan Horses
• Fraud, Theft, Malicious Damage• Masquerading, Spoofing• Espionage, Terrorism• Obscenities, Profanities
![Page 5: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/5.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Corporate security: what is needed?
For many organisations there will be a number of security concerns, each of these with there own specific security requirements:
• Schools, Colleges and Universities• Financial establishments• Government offices• Hospitals• E-commerce• Military installations
![Page 6: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/6.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Common Threats
• Students records (Add, delete or improve exam grades)
• Confidential or personal information• Payroll, accounts department• Accidental damage of data• Fire• Flood• Theft
![Page 7: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/7.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Common Threats
• Medical records• Historical records• Sensitive military information• Payment transactions• Banking account information• Physical assets• Personnel
![Page 8: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/8.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Data Security
Security concerns and requirements can be measured in a number of different ways.
• Data Availability• Personal accountability• Data integrity• Data or personal confidentiality
![Page 9: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/9.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Confidentiality
• Prevention of unauthorised information disclosure.
• Data access must be restricted to only authorised Personnel who hold a valid ‘Need to know’.
• The seriousness of the disclosure is often dictated by whether it occurs to an unauthorised member of the same organisation or a total outsider.
![Page 10: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/10.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Integrity
• This could refer to either the organisation, the system, the data or all.
• The user must have confidence that:• The same information can be retrieved as
was originally entered.• Internal processes work as expected or
claimed. • May be compromised as a result of accidental
error or malicious activity.
![Page 11: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/11.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Availability
• Systems or data should be accessible and fit for purpose on demand by an authorised entity.
• Availability encompasses:• The prevention of unauthorised withholding of
information or resources.• Safeguards against system failure.
• The seriousness of denial of service generally increases proportionally to the period of unavailability
![Page 12: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/12.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Accountability
• The property that ensures that the actions of an entity may be traced uniquely to that entity.
• This may be encompassed by monitoring:• System behaviour• Staff activity
What connotations can employee monitoring schemes have?
![Page 13: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/13.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Terminology
• Asset• Threat• Vulnerability• Physical• Procedural or personnel policy. Logical /
system / technical
![Page 14: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/14.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Terminology (cont)
• Risk• Countermeasure• Impact• Baseline security
![Page 15: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/15.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Asset
An asset is generally considered as an entity of value, such as:
• Data• Financial: Stocks, shares or bonds• Physical• Personnel
![Page 16: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/16.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Threat
A threat is an unwanted deliberate, malicious or accidental act that may result in damage, depletion or harm to an asset:
• virus• Flood• Theft• Fire
![Page 17: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/17.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Vulnerability
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security.
• Weak password authentication• Out of data antivirus• External penetration• Un-secure channels
![Page 18: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/18.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Physical Security
The risk to or risk from a physical entity. This could be to either data, hardware/software or personnel. measures that must be taken to prevent theft, vandalism, and other types of harm to the technology equipment
• Personal safety • Lock, doors and secure rooms• ID tags• Infrared tag
![Page 19: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/19.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Procedural Policy
Procedural measures taken to prevent a disaster, such as safety inspections, fire drills, security awareness programs, timing of planned security actions.
• Enforce user policies (no post-its)• Plan for disaster recovery• Maintenance schemes for hardware and
software
![Page 20: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/20.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Risk
The probability that a particular threat will accidentally trigger or intentionally exploit a particular information system vulnerability and the resulting impact if this should occur.
Probability:
P = probability
A = event
P(A) = The Number Of Ways Event A Can Occur
The Total Number Of Possible Outcomes
![Page 21: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/21.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Risk Assessment Cycle
www.microsoft.con Security Risk Management
![Page 22: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/22.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Risk Assessment
Risk assessment is an ongoing event throughout the organisations lifetime. Some steps in the risk assessment cycle are:
• Identify potential risks that could harm or hinder operational procedure, data or personnel
• Estimate the probability of such events occurring
![Page 23: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/23.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Risk Assessment
• Estimating the most critical and sensitive assets and the potential financial loss, including recovery costs.
• Identify the most cost affective approach to implementing security procedures
• Develop an action plan for security proposals
![Page 24: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/24.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Risk Assessment
• Implement security procedures• Monitor the programme for effectiveness• Identify potential risks that could harm or hinder
operational procedure, data or personnel• Continue the cycle
![Page 25: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/25.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Countermeasure
An action or restraint on the system designed to enhance security by reducing the risk of an attack, by reducing either the threat or the vulnerability.
• Password time outs• Intrusion detection systems• Enhancing security requirements to meet the
threat• P:P:P:P:P:P:P
![Page 26: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/26.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Impact
The resultant after effects of a successful security breach via a threat or vulnerability. The impact will almost certainly generate unwanted outcomes or consequences.
![Page 27: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/27.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Consequences
• Financial Loss• Embarrassment• Breach of Commercial Confidentiality• Breach of Personal Privacy• Legal Liability• Disruption to Activities• Threat to Personal safety
![Page 28: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/28.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Legal Issues
It is important to have an understanding of legal issues relating to security. Setting stringent security policies without a basic understanding of the legal implications could prove costly.
• ICT and the Law covered in later lectures, but for now:
![Page 29: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/29.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Table of UK Statutes
• Computer Misuse Act 1990• Contracts (Rights of Third Parties) Act 1999• Copyright, Designs and Patents Act 1988• Criminal Justice and Public Order Act 1994• Data protection Act 1998• Defamation Act 1996• Electronics Communications Act 2000• Obscene Publications Act 1964
![Page 30: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/30.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Table of UK Statutes (cont)
• Protection of Children Act 1978• Sale of Goods Act 1979• Supply of Goods and Services Act 1982• Telecommunications Act 1994• Trade Descriptions Act 1968• Trade Marks Act 1994• Unfair Contract Terms Act 1977
![Page 31: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/31.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Conclusion
• 100% security is not an achievable objective.• Threats are real and present, addresses them.• Security costs money, lack of security costs
more• Understand the legal standing of the
organisation.• Determine the appropriate level of security for
the assets held.
![Page 32: Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649de35503460f94ada04f/html5/thumbnails/32.jpg)
Author: Andy Reed ftp://topsurf.co.uk/reed
Conclusions
• Risk assessment should be a cyclic progression• 99.999% security is said to be considered
desirable• Organisations have a legal obligation to protect
third party assets, data or employee confidentiality.
• Useful to understand how the Law fits in to the domain of ICT data security