SlideShare una empresa de Scribd logo

Isys20261 lecture 11

Descargar como PPT, PDF
Wiliam Ferraciolli
Wiliam Ferraciolli
1 de 15
Computer Security Management (ISYS20261) Lecture 11 –Methods of Defence Module Leader: Dr Xiaoqi Ma School of Science and Technology
Previously … • Computer security - protection of information related assets: – Data – Hardware – Software – People – Intangible assets • Information security requirements: – Confidentiality – Integrity – Availability Computer Security Management Page 2
Definitions • Harm – Something happens to an asset that we do not want to happen • Threat – Possible source of harm • Attack – Threatening event (instance of a threat) • Attacker – Someone or something that mounts a threat • Vulnerability – Weakness in the system (asset) that makes an attack more likely to successes • Risk – Possibility that a threat will affect the business or organisation Computer Security Management Page 3
Harm and threats • Six basic types of harm: – Modification – Destruction – Disclosure – Interception – Interruption – Fabrication • A threat is a possible source of harm • Example: a virus formats the hard disk of a computer • Threats exploit vulnerabilities of systems Computer Security Management Page 4
Vulnerabilities • Weaknesses in a system • Might arise from: – Poor design – Poor implementation – technological advances • Examples: – Password management flaws – Fundamental operating system design flaws – Software bugs – Unchecked user input – Social engineering – Etc. Computer Security Management Page 5
Basic types of attacks • Host-based Attacks – Malicious Code – Malicious Software • Network-based Attacks – Sniffing – IP address spoofing – Man-in-the-middle attack – Denial-of-service attack (DoS) – OS-based attacks – Web application attacks • Social Engineering – Pretexting – Phishing – Etc. Computer Security Management Page 6
Today ... • Protection against harm • Methods of defence (countermeasures) Computer Security Management Page 7
Defence • Protection against harm: – Prevent it by blocking attack or closing vulnerabilities – Deter it by making the attack harder (but not impossible!) – Deflect it by making another target more attractive – Detect it either as it happens or some time after – Recover from effects – Using any combination of the above • Methods of defence – Software controls – Encryption – Physical and hardware controls Computer Security Management Page 8
Software • Software provides functionality in an information processing system – Weak link in the security chain • Three aspects: – Operating systems – Applications – Software development process • Each of these need to be controlled Computer Security Management Page 9
Operating system controls • Limitations need to be built into OSs to – Protect system against unauthorised users – protect each user from other users – Protect OS (from users) • Access control – authentication – authorisation Computer Security Management Page 10
Application controls • Internal to software applications • Limit access to – Program – data • Might check on computing environment Computer Security Management Page 11
Software development controls • Aim: preventing vulnerabilities in the software • Using quality standards – ISO S9001 – Capability Maturity Model (CMM) – etc • Using established development methodologies – V model – Appropriate and Effective Guidance for Information Security (AEGIS) – Security Development Lifecycle (SDL) – Etc. • Use appropriate languages, libraries, architectures and patterns • Sophisticated testing, coding, and maintenance Computer Security Management Page 12
Encryption • Transforming data (plain text) in a way so that it becomes meaningless for an observer (cipher text) • Done by using an encryption algorithm (cipher) • Encryption based on a key or pass phrase • Can be used to – Scramble messages – Scramble data base • If legitimate user wants to read the data (cipher text) it needs to be transformed back into plain text • Only the person doing the scrambling (and possibly another person receiving the message) can decrypt it, because the original encryption was done on an agreed set of keys Computer Security Management Page 13
Physical and hardware controls • Physical controls – Locks on doors – Guards at entry points – Physical site planning – Limited emissions (e.g. CRT radiation, power analysis, etc) – etc • Hardware controls – Hardware encryption systems – Locks or cables limiting access (or deterring from theft) – Devices to verify user’s identity – Firewalls – Intrusion detection systems – Trusted computer platform – etc Computer Security Management Page 14
Summary Today we learned: • Protection against harm • Using countermeasures (controls) – Software controls – Encryption – Physical and hardware controls Computer Security Management Page 15

Recomendados

Isys20261 lecture 02
Isys20261 lecture 02Isys20261 lecture 02
Isys20261 lecture 02Wiliam Ferraciolli
 
Cyber Security in Power Systems
Cyber Security in Power SystemsCyber Security in Power Systems
Cyber Security in Power SystemsPower System Operation
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01Wiliam Ferraciolli
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
17 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_201217 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_2012RECIPA
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical SecurityAlfred Ouyang
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpagenakomuri
 

Recomendados

Isys20261 lecture 02
Isys20261 lecture 02Isys20261 lecture 02
Isys20261 lecture 02Wiliam Ferraciolli
 
Cyber Security in Power Systems
Cyber Security in Power SystemsCyber Security in Power Systems
Cyber Security in Power SystemsPower System Operation
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01Wiliam Ferraciolli
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
17 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_201217 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_2012RECIPA
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical SecurityAlfred Ouyang
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpagenakomuri
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Computing safety
Computing safetyComputing safety
Computing safetytitoferrus
 
Information systems security(1)
Information systems security(1)Information systems security(1)
Information systems security(1)Sandeep Agarwal
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environmentEvan Francen
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
security and ethical challenges in information systems
security and ethical challenges in information systemssecurity and ethical challenges in information systems
security and ethical challenges in information systemshilal12
 
The Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and OperationThe Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and OperationHafiza Abas
 
Cyber Security Briefing
Cyber Security BriefingCyber Security Briefing
Cyber Security BriefingMarshall Frett Jr.
 
Basic Security Concepts of Computer
Basic Security Concepts of ComputerBasic Security Concepts of Computer
Basic Security Concepts of ComputerFaizan Janjua
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and TrainingPriyank Hada
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaSee You Rise Holdings
 
06. security concept
06. security concept06. security concept
06. security conceptMuhammad Ahad
 
Network Security: Physical security
Network Security: Physical security Network Security: Physical security
Network Security: Physical security lalithambiga kamaraj
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKATHEESKUMAR S
 
Ofer Cohen - areas of expertise
Ofer Cohen - areas of expertiseOfer Cohen - areas of expertise
Ofer Cohen - areas of expertiseOfer JRL Cohen
 
Information security
Information security Information security
Information security razendar79
 
Overview
OverviewOverview
Overviewphanleson
 
Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Amr Salah
 
22 need-for-security
22 need-for-security22 need-for-security
22 need-for-securityAl Balqa Applied University
 
chapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdfchapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdfsatonaka3
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security Malachi Jones
 

Más contenido relacionado

La actualidad más candente

Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Computing safety
Computing safetyComputing safety
Computing safetytitoferrus
 
Information systems security(1)
Information systems security(1)Information systems security(1)
Information systems security(1)Sandeep Agarwal
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environmentEvan Francen
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
security and ethical challenges in information systems
security and ethical challenges in information systemssecurity and ethical challenges in information systems
security and ethical challenges in information systemshilal12
 
The Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and OperationThe Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and OperationHafiza Abas
 
Basic Security Concepts of Computer
Basic Security Concepts of ComputerBasic Security Concepts of Computer
Basic Security Concepts of ComputerFaizan Janjua
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and TrainingPriyank Hada
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaSee You Rise Holdings
 
06. security concept
06. security concept06. security concept
06. security conceptMuhammad Ahad
 
Network Security: Physical security
Network Security: Physical security Network Security: Physical security
Network Security: Physical security lalithambiga kamaraj
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKATHEESKUMAR S
 
Ofer Cohen - areas of expertise
Ofer Cohen - areas of expertiseOfer Cohen - areas of expertise
Ofer Cohen - areas of expertiseOfer JRL Cohen
 
Information security
Information security Information security
Information security razendar79
 
Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Amr Salah
 

La actualidad más candente (20)

Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Computing safety
Computing safetyComputing safety
Computing safety
 
Information systems security(1)
Information systems security(1)Information systems security(1)
Information systems security(1)
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environment
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
security and ethical challenges in information systems
security and ethical challenges in information systemssecurity and ethical challenges in information systems
security and ethical challenges in information systems
 
The Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and OperationThe Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and Operation
 
Cyber Security Briefing
Cyber Security BriefingCyber Security Briefing
Cyber Security Briefing
 
Basic Security Concepts of Computer
Basic Security Concepts of ComputerBasic Security Concepts of Computer
Basic Security Concepts of Computer
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and Training
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
 
06. security concept
06. security concept06. security concept
06. security concept
 
Network Security: Physical security
Network Security: Physical security Network Security: Physical security
Network Security: Physical security
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Ofer Cohen - areas of expertise
Ofer Cohen - areas of expertiseOfer Cohen - areas of expertise
Ofer Cohen - areas of expertise
 
Information security
Information security Information security
Information security
 
Overview
OverviewOverview
Overview
 
Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)
 
22 need-for-security
22 need-for-security22 need-for-security
22 need-for-security
 

Similar a Isys20261 lecture 11

chapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdfchapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdfsatonaka3
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security Malachi Jones
 
operating system Security presentation vol 2
operating system Security presentation vol 2operating system Security presentation vol 2
operating system Security presentation vol 2qacaybagirovv
 
Security Architectures and Models.pptx
Security Architectures and Models.pptxSecurity Architectures and Models.pptx
Security Architectures and Models.pptxRushikeshChikane2
 
Information Security
Information SecurityInformation Security
Information Securityvadapav123
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9Amanda Case
 
Important keyword to remember
Important keyword to rememberImportant keyword to remember
Important keyword to rememberIszamli Jailani
 
Information Assurance And Security - Chapter 2 - Lesson 4
Information Assurance And Security - Chapter 2 - Lesson 4Information Assurance And Security - Chapter 2 - Lesson 4
Information Assurance And Security - Chapter 2 - Lesson 4MLG College of Learning, Inc
 
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!Kevin Fisher
 
Chapter Last.ppt
Chapter Last.pptChapter Last.ppt
Chapter Last.pptmiki304759
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
501 ch 5 securing hosts and data
501 ch 5 securing hosts and data501 ch 5 securing hosts and data
501 ch 5 securing hosts and datagocybersec
 
19-f15-mobile-security.pptx
19-f15-mobile-security.pptx19-f15-mobile-security.pptx
19-f15-mobile-security.pptxJhansigali
 

Similar a Isys20261 lecture 11 (20)

chapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdfchapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdf
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security
 
operating system Security presentation vol 2
operating system Security presentation vol 2operating system Security presentation vol 2
operating system Security presentation vol 2
 
Security.pdf
Security.pdfSecurity.pdf
Security.pdf
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
Security Architectures and Models.pptx
Security Architectures and Models.pptxSecurity Architectures and Models.pptx
Security Architectures and Models.pptx
 
Information Security
Information SecurityInformation Security
Information Security
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
 
Important keyword to remember
Important keyword to rememberImportant keyword to remember
Important keyword to remember
 
Information Assurance And Security - Chapter 2 - Lesson 4
Information Assurance And Security - Chapter 2 - Lesson 4Information Assurance And Security - Chapter 2 - Lesson 4
Information Assurance And Security - Chapter 2 - Lesson 4
 
Lesson 4
Lesson 4Lesson 4
Lesson 4
 
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
 
ch15.pdf
ch15.pdfch15.pdf
ch15.pdf
 
Chapter Last.ppt
Chapter Last.pptChapter Last.ppt
Chapter Last.ppt
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
IS Unit II.pptx
IS Unit II.pptxIS Unit II.pptx
IS Unit II.pptx
 
501 ch 5 securing hosts and data
501 ch 5 securing hosts and data501 ch 5 securing hosts and data
501 ch 5 securing hosts and data
 
19-f15-mobile-security.pptx
19-f15-mobile-security.pptx19-f15-mobile-security.pptx
19-f15-mobile-security.pptx
 

Más de Wiliam Ferraciolli

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the networkWiliam Ferraciolli
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experienceWiliam Ferraciolli
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Wiliam Ferraciolli
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsWiliam Ferraciolli
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architectureWiliam Ferraciolli
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and servicesWiliam Ferraciolli
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and servicesWiliam Ferraciolli
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingWiliam Ferraciolli
 

Más de Wiliam Ferraciolli (20)

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the network
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the network
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experience
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)
 
Lecture 9 further permissions
Lecture 9 further permissionsLecture 9 further permissions
Lecture 9 further permissions
 
Lecture 8 permissions
Lecture 8 permissionsLecture 8 permissions
Lecture 8 permissions
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objects
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architecture
 
Lecture 4 client workstations
Lecture 4 client workstationsLecture 4 client workstations
Lecture 4 client workstations
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and services
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and services
 
Lecture 1 introduction
Lecture 1 introductionLecture 1 introduction
Lecture 1 introduction
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scripting
 
Isys20261 lecture 14
Isys20261 lecture 14Isys20261 lecture 14
Isys20261 lecture 14
 
Isys20261 lecture 12
Isys20261 lecture 12Isys20261 lecture 12
Isys20261 lecture 12
 
Isys20261 lecture 10
Isys20261 lecture 10Isys20261 lecture 10
Isys20261 lecture 10
 
Isys20261 lecture 09
Isys20261 lecture 09Isys20261 lecture 09
Isys20261 lecture 09
 
Isys20261 lecture 08
Isys20261 lecture 08Isys20261 lecture 08
Isys20261 lecture 08
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
 
Isys20261 lecture 06
Isys20261 lecture 06Isys20261 lecture 06
Isys20261 lecture 06
 

Isys20261 lecture 11

  • 1. Computer Security Management (ISYS20261) Lecture 11 –Methods of Defence Module Leader: Dr Xiaoqi Ma School of Science and Technology
  • 2. Previously … • Computer security - protection of information related assets: – Data – Hardware – Software – People – Intangible assets • Information security requirements: – Confidentiality – Integrity – Availability Computer Security Management Page 2
  • 3. Definitions • Harm – Something happens to an asset that we do not want to happen • Threat – Possible source of harm • Attack – Threatening event (instance of a threat) • Attacker – Someone or something that mounts a threat • Vulnerability – Weakness in the system (asset) that makes an attack more likely to successes • Risk – Possibility that a threat will affect the business or organisation Computer Security Management Page 3
  • 4. Harm and threats • Six basic types of harm: – Modification – Destruction – Disclosure – Interception – Interruption – Fabrication • A threat is a possible source of harm • Example: a virus formats the hard disk of a computer • Threats exploit vulnerabilities of systems Computer Security Management Page 4
  • 5. Vulnerabilities • Weaknesses in a system • Might arise from: – Poor design – Poor implementation – technological advances • Examples: – Password management flaws – Fundamental operating system design flaws – Software bugs – Unchecked user input – Social engineering – Etc. Computer Security Management Page 5
  • 6. Basic types of attacks • Host-based Attacks – Malicious Code – Malicious Software • Network-based Attacks – Sniffing – IP address spoofing – Man-in-the-middle attack – Denial-of-service attack (DoS) – OS-based attacks – Web application attacks • Social Engineering – Pretexting – Phishing – Etc. Computer Security Management Page 6
  • 7. Today ... • Protection against harm • Methods of defence (countermeasures) Computer Security Management Page 7
  • 8. Defence • Protection against harm: – Prevent it by blocking attack or closing vulnerabilities – Deter it by making the attack harder (but not impossible!) – Deflect it by making another target more attractive – Detect it either as it happens or some time after – Recover from effects – Using any combination of the above • Methods of defence – Software controls – Encryption – Physical and hardware controls Computer Security Management Page 8
  • 9. Software • Software provides functionality in an information processing system – Weak link in the security chain • Three aspects: – Operating systems – Applications – Software development process • Each of these need to be controlled Computer Security Management Page 9
  • 10. Operating system controls • Limitations need to be built into OSs to – Protect system against unauthorised users – protect each user from other users – Protect OS (from users) • Access control – authentication – authorisation Computer Security Management Page 10
  • 11. Application controls • Internal to software applications • Limit access to – Program – data • Might check on computing environment Computer Security Management Page 11
  • 12. Software development controls • Aim: preventing vulnerabilities in the software • Using quality standards – ISO S9001 – Capability Maturity Model (CMM) – etc • Using established development methodologies – V model – Appropriate and Effective Guidance for Information Security (AEGIS) – Security Development Lifecycle (SDL) – Etc. • Use appropriate languages, libraries, architectures and patterns • Sophisticated testing, coding, and maintenance Computer Security Management Page 12
  • 13. Encryption • Transforming data (plain text) in a way so that it becomes meaningless for an observer (cipher text) • Done by using an encryption algorithm (cipher) • Encryption based on a key or pass phrase • Can be used to – Scramble messages – Scramble data base • If legitimate user wants to read the data (cipher text) it needs to be transformed back into plain text • Only the person doing the scrambling (and possibly another person receiving the message) can decrypt it, because the original encryption was done on an agreed set of keys Computer Security Management Page 13
  • 14. Physical and hardware controls • Physical controls – Locks on doors – Guards at entry points – Physical site planning – Limited emissions (e.g. CRT radiation, power analysis, etc) – etc • Hardware controls – Hardware encryption systems – Locks or cables limiting access (or deterring from theft) – Devices to verify user’s identity – Firewalls – Intrusion detection systems – Trusted computer platform – etc Computer Security Management Page 14
  • 15. Summary Today we learned: • Protection against harm • Using countermeasures (controls) – Software controls – Encryption – Physical and hardware controls Computer Security Management Page 15