Module 8 Administering Security
-
Upload
charmaine-efrain -
Category
Documents
-
view
46 -
download
0
description
Transcript of Module 8 Administering Security
![Page 1: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/1.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 1
Module 8Module 8 Administering Security
MModified by :Ahmad Al GhoulPPhiladelphia UniversityFFaculty Of Administrative & Financial SciencesBBusiness Networking & System Management DepartmentRRoom Number 32406EE-mail Address: [email protected]
![Page 2: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/2.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 2
Contents Personal Computer Security Management Contributors to Security Problems Security Measures Protection of Files Access Control Mechanisms for PCs Risk Analysis THEORETICAL FRAMEWORK Reacting to Threats CULTURE AND RISK STAKEHOLDER MODEL RISK COMMUNICATION TRUST AND CONFIDENCE VS CREDIBILITY INSTITUTIONAL CREDIBILITY Risk Perception, Trust and Credibility
![Page 3: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/3.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 3
Personal Computer Security Management
Security problems for personal computers are more serious than on mainframe computers– people issues
– hardware and software issues
lack of sensitivity– users do not appreciate security risks associated with
the use of PCs
lack of tools– hw and sw tools are fewer and less sophisticated than in
the mainframe environment
![Page 4: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/4.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 4
Contributors to Security Problems
Hardware vulnerabilities– limited protection of one memory space – every user can execute every instruction– can read and write every memory location– the operating system may declare certain files
as “system” files, but it can not prevent the user from accessing them
– operating system designers have failed to take advantage of hardware protection
![Page 5: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/5.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 5
Contributors to Security Problems
Low awareness of the problem– analogous to a calculator
no unique responsibility– if the machine is shared, nobody takes full responsibility
for maintenance, supervision and control few hw controls
– few PCs take advantage of hw features no audit trail environmental attacks physical access
– unattended machines care of media components
– diskettes, etc.
![Page 6: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/6.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 6
Contributors to Security Problems
No backups questionable documentation high portability combination of duties
– lack of checks and balances
![Page 7: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/7.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 7
Security Measures
Procedures: Do not leave PCs unattended in an exposed
environment if they contain sensitive info do not leave printers unattended if they are
printing sensitive output secure media as carefully as you would a
confidential report perform periodic back-ups practice separation of authority
![Page 8: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/8.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 8
Security Measures
Hardware Controls: Secure the equipment consider using add-on security boardsSoftware Controls: use all sw with full understanding of its potential
threats do not use sw from dubious resources be suspicious of all results maintain periodic complete backups of all system
resources
![Page 9: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/9.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 9
Protection of Files
Access control features encryption copy protection no protection
![Page 10: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/10.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 10
Access Control Mechanisms for PCs
Motivations for access control: Outside interference two users one machine network access errors untrusted software separation of applications
25060
![Page 11: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/11.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 11
Features of PC Access Control Systems
Transparent encryption– some systems automatically encrypt files so
that their contents will not be evident time of day checking
– allowing access during certain times automatic timeout
– the system automatically terminates the session machine identification
– unique serial no can be read by the application
![Page 12: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/12.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 12
Risk Analysis
RISK Possibility of suffering harm or loss, a
factor, course or element involving uncertain danger
![Page 13: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/13.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 13
THEORETICAL FRAMEWORK
Important parameter in designing security systems is the COST
RISK ASSESSMENT
Risk perception– psychological theory of risk: how the general
public reacts to uncertainities of danger, and how this general reaction affects individual behaviour.
– cultural theory of risk: Risk perception differs depending on the social group & belief system an individual belongs to (Douglas 1970)
![Page 14: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/14.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 14
Reacting to Threats
RISK PERCEPTION
THREAT
RESPONSE
Passive Reaction
communication
![Page 15: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/15.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 15
Reacting to Threats
RISK PERCEPTION
Organisation Structure
RISKMANAGEMENT
Externaldanger
Shared Meaning and Trust
![Page 16: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/16.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 16
CULTURE AND RISK
Risk behaviour is a function of how human beings, individually and in groups, perceive their place in the world.
It is important to understand the role of culture in stakeholder interaction in order to understand cultural biases in risk perception.
![Page 17: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/17.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 17
STAKEHOLDER MODEL
Stakeholders– Users: information user
– Suppliers: information provider and systems developer
– Others: systems manager
Each stakeholder group has a differing perceptions of same risk.
Stakeholders can be grouped within themselves depending on the social groups they belong to rather than roles they assume.
![Page 18: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/18.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 18
STAKEHOLDER MODEL
Individuals have different cultural biases and have different perceptions of risk– computer privacy and security rules are
different in different countries– Singapore, Japan, US, Canada
Grouping stakeholders is not enough for designing IS.
![Page 19: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/19.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 19
RISK COMMUNICATION
It is important to know the cultural backgrounds of the stakeholders– how they perceive risks– how they communicate risks– risk communication theory– risk communication model
![Page 20: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/20.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 20
RISK COMMUNICATION
Past:– risk communication as one way to general
public from government…– efforts to improve risk communication– to get the message across by describing the
magnitude and balance of the attendant costs and benefits
![Page 21: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/21.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 21
RISK COMMUNICATION
The costs and benefits are equally distributed across a society
People do not agree about which events or actions do the most harm or which benefits are more worth seeking.
![Page 22: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/22.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 22
RISK COMMUNICATION
US National Research Counsil (1989)
Risk communication is an interactive process of exchange of information and opinion among individuals, groups and institutions. It involves multiple messages about the nature of the risk and other messages, not strictly about risk, that express concerns, opinions and reactions to risk messages or to legal and institutional arrangements for risk management.
![Page 23: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/23.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 23
RISK COMMUNICATION
Risk Communication– risks posed to stakeholders on the web are
technological hazards– classical risk communication model:
• sources
• transmitters
• receivers
![Page 24: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/24.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 24
CULTURE
Sources
Scientists
Agencies
Interest Groups
Eyewitnesses
Portrayal of Event with symbols, signals and
images by the Sources
Transmitters
Media
Institutions/Agencies
Interest Groups
Opinion Leaders
Receivers
General Public
Affected Organisations/Institutions
Social Groups
Other target audience
Risk
Event
feed
back
Two-way interaction
![Page 25: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/25.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 25
Initial Information
HEARCULTURE
SOCIAL FASHIONPERSONAL VALUES
RELATED ATTITUDES
INFLUENCES
Appeal Do not Appeal
UNDERSTAND
BELIEVE
PERSONALIZE
RESPOND
New Information
![Page 26: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/26.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 26
Communication The recipient hears the information and then screens it based on
social fashion, personal values, attitudes under the influence from peer groups– cultural forces before understanding the message
Believing involves acceptance that the understanding is correct – the risk is real
Personalisation– the risk event will affect the receiver
Response– decision to take action for protection from risk
Credibility of information sources and transmitters is a key issue in risk communication
![Page 27: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/27.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 27
TRUST AND CONFIDENCE VS CREDIBILITY
Trust is an important ingredient in any trade transaction
Trust acts as the mitigating factor for the risks assumed by one party on the party in the trade
As trust increases the risks either reduce or become manageable by the trusting party
Existence of trust also reduces the transaction cost in a trade
![Page 28: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/28.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 28
INSTITUTIONAL CREDIBILITY
The social climate pre-sets the conditions under which an institution has to operate to gain and maintain trust
in a positive climate people invest more in trust institutions
in a negative climate people tend to caution and seek to have more control
![Page 29: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/29.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 29
Risk Perception, Trust and Credibility
Hypothesis:– once trust and credibility exist in a relationship among the
stakeholders during risk communication, stakeholders do not get involved in the analysis of risk factors individually, and
– information systems security becomes less important to people when dealing with a trustworthy and credible institution.
Personality of the communicator with attributes of ability and integrity are also important in establishing trust.
Overall; message, communicator, institution, and the social context are the major factors in establishing trust within an organization.
![Page 30: Module 8 Administering Security](https://reader035.fdocuments.us/reader035/viewer/2022062314/568138ad550346895da06aef/html5/thumbnails/30.jpg)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 30
Risk Perception, Trust and Credibility
Inferential analysis:– inverse correlation between trust and security
on the internet– the higher the trust placed on an organization
the lower was the security concern.