SlideShare a Scribd company logo

Administering security

G
G Prachi

Administering security

Technology
1 of 49
Administering Security Unit-6
Index • Risk analysis • Legal, Privacy & Ethical issues • Computer Security: Protecting Programs and Data
Security in System Development • Risk Analysis & Management needs to be a part of system development, not tacked on afterwards • Baskerville's three generations of methods 1st Generation: Checklists Example: BS 7799 Part 1 2nd Generation: Mechanistic engineering methods Example: this risk analysis method 3rd Generation: Integrated design Not yet achieved
Risk Analysis and Management Framework Assets Threats Vulnerabilities Risks Security Measures } } Analysis Management
Definitions 1 The meanings of terms in this area is not universally agreed. We will use the following • Threat: Harm that can happen to an asset • Impact: A measure of the seriousness of a threat • Attack: A threatening event • Attacker: The agent causing an attack (not necessarily human) • Vulnerability: a weakness in the system that makes an attack more likely to succeed • Risk: a quantified measure of the likelihood of a threat being realised
Definitions 2 • Risk Analysis involves the identification and assessment of the levels of risk, calculated from the – Values of assets – Threats to the assets – Their vulnerabilities and likelihood of exploitation • Risk Management involves the identification, selection and adoption of security measures justified by – The identified risks to assets – The reduction of these risks to acceptable levels
Goals of Risk Analysis • All assets have been identified • All threats have been identified – Their impact on assets has been valued • All vulnerabilities have been identified and assessed
Problems of Measuring Risk Businesses normally wish to measure in money, but • Many of the entities do not allow this – Valuation of assets • Value of data and in-house software - no market value • Value of goodwill and customer confidence – Likelihood of threats • How relevant is past data to the calculation of future probabilities? – The nature of future attacks is unpredictable – The actions of future attackers are unpredictable – Measurement of benefit from security measures • Problems with the difference of two approximate quantities – How does an extra security measure affect a ~10-5 probability of attack?
Risk Levels • Precise monetary values give a false precision • Better to use levels, e.g. – High, Medium, Low • High: major impact on the organisation • Medium: noticeable impact (“material” in auditing terms) • Low: can be absorbed without difficulty – 1 - 10 • Express money values in levels, e.g. – For a large University Department a possibility is • High • Medium • Low
Risk Analysis Steps • Decide on scope of analysis – Set the system boundary • Identification of assets & business processes • Identification of threats and valuation of their impact on assets (impact valuation) • Identification and assessment of vulnerabilities to threats • Risk assessment
Risk Analysis – Defining the Scope • Draw a context diagram • Decide on the boundary – It will rarely be the computer! • Make explicit assumptions about the security of neighbouring domains – Verify them!
Risk Analysis - Identification of Assets • Types of asset – Hardware – Software: purchased or developed programs – Data – People: who run the system – Documentation: manuals, administrative procedures, etc – Supplies: paper forms, magnetic media, printer liquid, etc – Money – Intangibles • Goodwill • Organisation confidence • Organisation image
Risk Analysis – Impact Valuation Identification and valuation of threats - for each group of assets • Identify threats, e.g. for stored data – Loss of confidentiality – Loss of integrity – Loss of completeness – Loss of availability (Denial of Service) • For many asset types the only threat is loss of availability • Assess impact of threat – Assess in levels, e.g H-M-L or 1 - 10 – This gives the valuation of the asset in the face of the threat
Risk Analysis – Process Analysis • Every company or organisation has some processes that are critical to its operation • The criticality of a process may increase the impact valuation of one or more assets identified So • Identify critical processes • Review assets needed for critical processes • Revise impact valuation of these assets
Risk Analysis – Vulnerabilities 1 • Identify vulnerabilities against a baseline system – For risk analysis of an existing system • Existing system with its known security measures and weaknesses – For development of a new system • Security facilities of the envisaged software, e.g. Windows NT • Standard good practice, e.g. BS 7799 recommendations of good practice
Risk Analysis – Vulnerabilities 2 For each threat • Identify vulnerabilities – How to exploit a threat successfully; • Assess levels of likelihood - High, Medium, Low – Of attempt • Expensive attacks are less likely (e.g. brute-force attacks on encryption keys) – Successful exploitation of vulnerability; • Combine them Likelihood of Attempt Likelihood of Success Low Low Low Med Med Low Med High HighHigh High Med Med Low Low
Responses to Risk Responses to risk • Avoid it completely by withdrawing from an activity • Accept it and do nothing • Reduce it with security measures
Security Measures Possible security measures • Transfer the risk, e.g. insurance • Reduce vulnerability – Reduce likelihood of attempt • e.g. publicise security measures in order to deter attackers • e.g. competitive approach - the lion-hunter’s approach to security – Reduce likelihood of success by preventive measures • e.g. access control, encryption, firewall • Reduce impact, e.g. use fire extinguisher / firewall • Recovery measures, e.g. restoration from backup
Problems of Risk Analysis and Management • Lack of precision • Volume of work and volume of output • Integrating them into a ”normal” development process
Legal, Privacy, and Ethical Issues in Computer Security • Program and data protection by patents, copyrights, and trademarks • Computer Crime • Privacy • Ethical Analysis of computer security situations • Codes of professional ethics
Motivation for studying legal issues • Know what protection the law provides for computers and data • Appreciate laws that protect the rights of others with respect to computers, programs, and data • Understand existing laws as a basis for recommending new laws to protect compuuters, programs, and data
Aspects of Protection of the security of computers • Protecting computing systems against criminals • Protecting code and data (copyright...) • Protecting programmers’ and employers’ rights • Protecting private data about individuals • Protecting users of programs
23 Ethical vs. Legal Issues • Q: What’s the difference between a legal issue and an ethical issue? • How do you determine which it is? • Should you care which it is? • What percentage of your time would you guess that you will spend dealing with ethical or legal issues?
24 Ethical vs. Legal Issues • Legal issues: – Sometimes have a definitive answer – Determination is made by others (not you) • Ethical issues: – Sometimes have a definitive answer – You determine your course of action • The law doesn’t make it “right” • Being “right” doesn’t make it legal
Basic Legal Issues a) Protecting Programs and Data b) Information and the Law c) Ownership Rights of Employees and Employers d) Software Failures (and Customers)
Protecting Programs and Data  Copyrights — designed to protect expression of ideas (creative works of the mind)  Ideas themselves are free  Different people can have the same idea  The way of expressing ideas is copyrighted  Copyrights are exclusive rights to making copies of expression  Copyright protects intellectual property (IP) IP must be:  Original work  In some tangible medium of expression
INTELLECTUAL PROPERTY RIGHT • Intellectual property rights are the legal rights that cover the privileges given to individuals who are the owners and inventors of a work, and have created something with their intellectual creativity. Individuals related to areas such as literature, music, invention, etc., can be granted such rights, which can then be used in the business practices by them. • The creator/inventor gets exclusive rights against any misuse or use of work without his/her prior information
Types of Intellectual Property Rights • Copyright • Patent • Trade marks.
Copyrights • Public domain- work owned by the public, (e.g. government) • Work must be original to the author • “fair use of a copyrighted work, including such use by reproduction I copies…for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship or research.” • New owner can give away or sell object
Copyrights • Each copy mist be marked with the copyright symbol © or the word Copyright, the year and the author’s name • U.S. copyright lasts for 70 years beyond death of last surviving author or 95 years after publication for a company • Copyright Infringement • Copyrights for computer software (cannot copyright the algorithm) • You do not purchase a piece of software, just the license to use it. • Computer menu design can be copyrighted, but not “look and feel”
Copyrights • In India, the law on copyright protection is contained in the Indian Copyright Act, 1957 – • which came into effect in January 1958. • This Act has been amended 5 times since then i.e.. In 1983, 1984,1992, 1994, 1999 & 2012. • The Copyright ( Amendment ) Act 2012 is the most substantial, bringing the digital environment into its purview.
Subject Matter of Copyright • Copyright law protects "original works of authorship.“ • The work does not have to be the first of its kind, or novel • it just has to be the independent product of the author, not copied from another source. • Copyright is held by an author upon a work's creation and "fixation“ in tangible form, so that it can be perceived directly or with the aid of a machine or other device
Contd.. • Works of authorship include the following categories (1)literary works; (2)musical works, including any accompanying words; (3)dramatic works, including any accompanying music; (4) choreographic works; (5)pictorial, graphic, and sculptural works; (6)motion pictures and other audiovisual works; (7)sound recordings; and (8)architectural works.
What Copyright Protects • Original Literary, Dramatic, Musical and Artistic Works • Cinematograph Films • Sound Recordings
Literary Works • Novels, poems, short stories • Books on any subject • Computer programmes, tables, computer databases • Song lyrics
Computer Software Includes • Programme Manuals • Punched Cards • Magnetic Tapes/Discs • Computer printouts • Computer programmes
Who owns the copyright? • Ordinarily, the creator does. However, if he or she creates the work in the course of employment or is retained under an appropriate contract to make the work, then the work is a "work made for hire," and the employer or the contracting party owns the copyright. Co-creators jointly own the copyright in the work they create together. • In some situations, when a work is created by a member of the University, Harvard policies vary the ownership that would otherwise result under copyright law.
Can a copyright be transferred to someone else? • Like any other property, a copyright can be sold or given to someone else, who then becomes the owner of the copyright. A copyright is a bundle of exclusive rights, which can be transferred separately or all together. • A copyright owner can also retain the copyright but permit (or non-exclusively license) others to exercise some of the owner's rights. For example, a photographer might permit the use of one of her photographs on a book jacket.
Permission to reproduce or disseminate someone else's copyrighted work? • Find the copyright owner and ask. There are no special forms that must be used, and permission can be oral or written, though it is good practice to obtain permission in writing. • The copyright owner is free to charge whatever fee he or she wishes, though the user is likewise free to try to negotiate a lower fee. • Most major publishers and periodicals have a "permissions desk" or a "rights editor," and a written request addressed in this way will usually find its way to the right person. • You should specify the publication you wish to take from; the precise pages, chapters, photographs or the like you want to use; how many copies you want to make; and the purpose of your use Many permissions desks accept requests by e-mail or through the publisher's website.
Infringement • A copyright is infringed when one of the exclusive rights of the copyright holder is violated. • These include the right to reproduce a – copyrighted work, prepare derivative works based upon it, distribute copies by sale or other transfer of ownership, to perform and display it publicly, and to authorize others to do so – Three types of infringement – Direct infringement – Indirect infringement – Vicarious liabilities
Direct Infringement • Direct infringement occurs when a person without authorizaton reproduces, distributes, displays, or performs a copyrighted work, or prepares a derivative work based on a copyrighted work. • direct copyright infringement, it does not matter. whether a direct profit is derived from the infringing works.
Contributory Infringement • Liability for copyright infringement may be imposed on persons who have not themselves engaged in the infringing activity, but where it may be seen as "just to hold one individual accountable for the actions of another.“ • Contributory infringement occurs, for example, where a person "with knowledge of the infringing activity, induces, causes or materially contributes to the infringing conduct of another.“ • An Internet provider may be liable for contributory infringement, says the court, if it knows or should have known of the infringement and fails to do anything about it.
Exclusive Rights • Copyright provides an author with a tool to protect a work from being taken, used, and exploited by others without permission. • The owner of a copyrighted work has the exclusive right – to reproduce it, – prepare derivative works based upon it, – distribute copies by sale or other transfer of ownership, – to perform and display it publicly, and – to authorize others to do so.
Patents • Protect inventions, tangible objects, or ways to make them, not works of the mind. • Patent designed to protect the device or process for carrying out an idea, not the idea itself. • Patent goes to person who invented the object first • Algorithms are inventions and can be patented
Patent • Patents give inventors the exclusive right to duplicate their invention’s design. Patents cover devices, formulas, tools, and anything that has utility. To get a patent, you must apply to the Patent Office and submit the invention’s design. You must show that the design is unique. A patent examiner will determine if you are entitled to a patent. If so, a patent is granted that prohibits anyone else from making, using, offering for sale, selling, or importing the invention. A patent lasts 20 years.
Trademark • A trademark is a word, phrase, or logo that identifies a product, a service, or the person or company that offers a product or service to the public. You must apply to Trademark Office to register a federal trademark. If your trademark is registered, you can generally prevent anyone else from using a mark that may confuse the public about who offers the product or service.
Trade Secrets • Information that gives one company a competitive edge over others • Reverse engineering – study finished object to determine how it is manufactured or how it works • Trade secret protection can apply to software
Copyright v/s Patent v/s Trade mark • Copyright protects original works of authorship, • while a patent protects inventions or discoveries. • A trademark protects words, phrases, symbols, or designs identifying the source of the goods or services of one party and distinguishing them from those of others.
Comparison table Copyright, Patent and Trade Secret Protection Copyright Patent Trade Secret Protects Expression of idea, not idea itself Invention—way something works Secret, competitive advantage Protected Object Made Public Yes; intention is to promote publication Design filed at Patent Office No Must Distribute Yes No No Ease of filing Very easy, do-it- yourself Very complicated; specialist lawyer suggested No filing Duration Originator’s life + 70 yrs; 95 y. For company 19 years Indefinite Legal Protection Sue if unauthorized copy sold Sue if invention copied/reinvented Sue if secret improperly obtained

Recommended

Operating system security
Operating system securityOperating system security
Operating system security
Ramesh Ogania
 
Program security
Program securityProgram security
Program security
G Prachi
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design Principles
SHUBHA CHATURVEDI
 
Message authentication and hash function
Message authentication and hash functionMessage authentication and hash function
Message authentication and hash function
omarShiekh1
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
Shashank Shetty
 
1 security goals
1 security goals1 security goals
1 security goals
drewz lin
 

Recommended

Operating system security
Operating system securityOperating system security
Operating system security
Ramesh Ogania
 
Program security
Program securityProgram security
Program security
G Prachi
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design Principles
SHUBHA CHATURVEDI
 
Message authentication and hash function
Message authentication and hash functionMessage authentication and hash function
Message authentication and hash function
omarShiekh1
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
Shashank Shetty
 
1 security goals
1 security goals1 security goals
1 security goals
drewz lin
 
Security vulnerability
Security vulnerabilitySecurity vulnerability
Security vulnerability
A. Shamel
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)
Haris Ahmed
 
Message authentication
Message authenticationMessage authentication
Message authentication
CAS
 
Elementary cryptography
Elementary cryptographyElementary cryptography
Elementary cryptography
G Prachi
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
G Prachi
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
IGZ Software house
 
Program security chapter 3
Program security chapter 3Program security chapter 3
Program security chapter 3
Education
 
Firewalls
FirewallsFirewalls
Firewalls
Ram Dutt Shukla
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
ImXaib
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
Prashant Chopra
 
MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : Algorithm
Sahil Kureel
 
Legal Privacy and Ethical Issues in Computer Security.pptx
Legal Privacy and Ethical Issues in Computer Security.pptxLegal Privacy and Ethical Issues in Computer Security.pptx
Legal Privacy and Ethical Issues in Computer Security.pptx
KRITARTHBANSAL1
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Malicious software
Malicious softwareMalicious software
Malicious software
Dr.Florence Dayana
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
 
Risk Management
Risk ManagementRisk Management
Risk Management
Saqib Raza
 
Substitution techniques
Substitution techniquesSubstitution techniques
Substitution techniques
vinitha96
 
AES by example
AES by exampleAES by example
AES by example
Shiraz316
 
Chapter- I introduction
Chapter- I introductionChapter- I introduction
Chapter- I introduction
Dr.Florence Dayana
 
Encryption ppt
Encryption pptEncryption ppt
Encryption ppt
Anil Neupane
 
ISAA PPt
ISAA PPtISAA PPt
ISAA PPt
RishabhAgrawal695188
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
Kabul Education University
 

More Related Content

What's hot

Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
ImXaib
 

What's hot (20)

Security vulnerability
Security vulnerabilitySecurity vulnerability
Security vulnerability
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)
 
Message authentication
Message authenticationMessage authentication
Message authentication
 
Elementary cryptography
Elementary cryptographyElementary cryptography
Elementary cryptography
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
Program security chapter 3
Program security chapter 3Program security chapter 3
Program security chapter 3
 
Firewalls
FirewallsFirewalls
Firewalls
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : Algorithm
 
Legal Privacy and Ethical Issues in Computer Security.pptx
Legal Privacy and Ethical Issues in Computer Security.pptxLegal Privacy and Ethical Issues in Computer Security.pptx
Legal Privacy and Ethical Issues in Computer Security.pptx
 
Web Security
Web SecurityWeb Security
Web Security
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Substitution techniques
Substitution techniquesSubstitution techniques
Substitution techniques
 
AES by example
AES by exampleAES by example
AES by example
 
Chapter- I introduction
Chapter- I introductionChapter- I introduction
Chapter- I introduction
 
Encryption ppt
Encryption pptEncryption ppt
Encryption ppt
 

Similar to Administering security

INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTS
henlydailymotion
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational content
Olajide Kuku
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
Komal Zahra
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
Security Innovation
 

Similar to Administering security (20)

ISAA PPt
ISAA PPtISAA PPt
ISAA PPt
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTS
 
Intro.ppt
Intro.pptIntro.ppt
Intro.ppt
 
ch01.ppt
ch01.pptch01.ppt
ch01.ppt
 
information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topics
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational content
 
164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.ppt164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.ppt
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01
 
Careers in Cyber Security
Careers in Cyber SecurityCareers in Cyber Security
Careers in Cyber Security
 
Cyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitCyber Recovery - Legal Toolkit
Cyber Recovery - Legal Toolkit
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Ch 1 assets
Ch 1 assetsCh 1 assets
Ch 1 assets
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
 
cyber security notes
cyber security notescyber security notes
cyber security notes
 

More from G Prachi

More from G Prachi (20)

The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architecture
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilities
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
Basic web security model
Basic web security modelBasic web security model
Basic web security model
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
 
Information security introduction
Information security introductionInformation security introduction
Information security introduction
 
Technology, policy, privacy and freedom
Technology, policy, privacy and freedomTechnology, policy, privacy and freedom
Technology, policy, privacy and freedom
 
Computation systems for protecting delimited data
Computation systems for protecting delimited dataComputation systems for protecting delimited data
Computation systems for protecting delimited data
 
Survey of file protection techniques
Survey of file protection techniquesSurvey of file protection techniques
Survey of file protection techniques
 
Protection models
Protection modelsProtection models
Protection models
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 

Administering security

  • 2. Index • Risk analysis • Legal, Privacy & Ethical issues • Computer Security: Protecting Programs and Data
  • 3. Security in System Development • Risk Analysis & Management needs to be a part of system development, not tacked on afterwards • Baskerville's three generations of methods 1st Generation: Checklists Example: BS 7799 Part 1 2nd Generation: Mechanistic engineering methods Example: this risk analysis method 3rd Generation: Integrated design Not yet achieved
  • 4. Risk Analysis and Management Framework Assets Threats Vulnerabilities Risks Security Measures } } Analysis Management
  • 5. Definitions 1 The meanings of terms in this area is not universally agreed. We will use the following • Threat: Harm that can happen to an asset • Impact: A measure of the seriousness of a threat • Attack: A threatening event • Attacker: The agent causing an attack (not necessarily human) • Vulnerability: a weakness in the system that makes an attack more likely to succeed • Risk: a quantified measure of the likelihood of a threat being realised
  • 6. Definitions 2 • Risk Analysis involves the identification and assessment of the levels of risk, calculated from the – Values of assets – Threats to the assets – Their vulnerabilities and likelihood of exploitation • Risk Management involves the identification, selection and adoption of security measures justified by – The identified risks to assets – The reduction of these risks to acceptable levels
  • 7. Goals of Risk Analysis • All assets have been identified • All threats have been identified – Their impact on assets has been valued • All vulnerabilities have been identified and assessed
  • 8. Problems of Measuring Risk Businesses normally wish to measure in money, but • Many of the entities do not allow this – Valuation of assets • Value of data and in-house software - no market value • Value of goodwill and customer confidence – Likelihood of threats • How relevant is past data to the calculation of future probabilities? – The nature of future attacks is unpredictable – The actions of future attackers are unpredictable – Measurement of benefit from security measures • Problems with the difference of two approximate quantities – How does an extra security measure affect a ~10-5 probability of attack?
  • 9. Risk Levels • Precise monetary values give a false precision • Better to use levels, e.g. – High, Medium, Low • High: major impact on the organisation • Medium: noticeable impact (“material” in auditing terms) • Low: can be absorbed without difficulty – 1 - 10 • Express money values in levels, e.g. – For a large University Department a possibility is • High • Medium • Low
  • 10. Risk Analysis Steps • Decide on scope of analysis – Set the system boundary • Identification of assets & business processes • Identification of threats and valuation of their impact on assets (impact valuation) • Identification and assessment of vulnerabilities to threats • Risk assessment
  • 11. Risk Analysis – Defining the Scope • Draw a context diagram • Decide on the boundary – It will rarely be the computer! • Make explicit assumptions about the security of neighbouring domains – Verify them!
  • 12. Risk Analysis - Identification of Assets • Types of asset – Hardware – Software: purchased or developed programs – Data – People: who run the system – Documentation: manuals, administrative procedures, etc – Supplies: paper forms, magnetic media, printer liquid, etc – Money – Intangibles • Goodwill • Organisation confidence • Organisation image
  • 13. Risk Analysis – Impact Valuation Identification and valuation of threats - for each group of assets • Identify threats, e.g. for stored data – Loss of confidentiality – Loss of integrity – Loss of completeness – Loss of availability (Denial of Service) • For many asset types the only threat is loss of availability • Assess impact of threat – Assess in levels, e.g H-M-L or 1 - 10 – This gives the valuation of the asset in the face of the threat
  • 14. Risk Analysis – Process Analysis • Every company or organisation has some processes that are critical to its operation • The criticality of a process may increase the impact valuation of one or more assets identified So • Identify critical processes • Review assets needed for critical processes • Revise impact valuation of these assets
  • 15. Risk Analysis – Vulnerabilities 1 • Identify vulnerabilities against a baseline system – For risk analysis of an existing system • Existing system with its known security measures and weaknesses – For development of a new system • Security facilities of the envisaged software, e.g. Windows NT • Standard good practice, e.g. BS 7799 recommendations of good practice
  • 16. Risk Analysis – Vulnerabilities 2 For each threat • Identify vulnerabilities – How to exploit a threat successfully; • Assess levels of likelihood - High, Medium, Low – Of attempt • Expensive attacks are less likely (e.g. brute-force attacks on encryption keys) – Successful exploitation of vulnerability; • Combine them Likelihood of Attempt Likelihood of Success Low Low Low Med Med Low Med High HighHigh High Med Med Low Low
  • 17. Responses to Risk Responses to risk • Avoid it completely by withdrawing from an activity • Accept it and do nothing • Reduce it with security measures
  • 18. Security Measures Possible security measures • Transfer the risk, e.g. insurance • Reduce vulnerability – Reduce likelihood of attempt • e.g. publicise security measures in order to deter attackers • e.g. competitive approach - the lion-hunter’s approach to security – Reduce likelihood of success by preventive measures • e.g. access control, encryption, firewall • Reduce impact, e.g. use fire extinguisher / firewall • Recovery measures, e.g. restoration from backup
  • 19. Problems of Risk Analysis and Management • Lack of precision • Volume of work and volume of output • Integrating them into a ”normal” development process
  • 20. Legal, Privacy, and Ethical Issues in Computer Security • Program and data protection by patents, copyrights, and trademarks • Computer Crime • Privacy • Ethical Analysis of computer security situations • Codes of professional ethics
  • 21. Motivation for studying legal issues • Know what protection the law provides for computers and data • Appreciate laws that protect the rights of others with respect to computers, programs, and data • Understand existing laws as a basis for recommending new laws to protect compuuters, programs, and data
  • 22. Aspects of Protection of the security of computers • Protecting computing systems against criminals • Protecting code and data (copyright...) • Protecting programmers’ and employers’ rights • Protecting private data about individuals • Protecting users of programs
  • 23. 23 Ethical vs. Legal Issues • Q: What’s the difference between a legal issue and an ethical issue? • How do you determine which it is? • Should you care which it is? • What percentage of your time would you guess that you will spend dealing with ethical or legal issues?
  • 24. 24 Ethical vs. Legal Issues • Legal issues: – Sometimes have a definitive answer – Determination is made by others (not you) • Ethical issues: – Sometimes have a definitive answer – You determine your course of action • The law doesn’t make it “right” • Being “right” doesn’t make it legal
  • 25. Basic Legal Issues a) Protecting Programs and Data b) Information and the Law c) Ownership Rights of Employees and Employers d) Software Failures (and Customers)
  • 26. Protecting Programs and Data  Copyrights — designed to protect expression of ideas (creative works of the mind)  Ideas themselves are free  Different people can have the same idea  The way of expressing ideas is copyrighted  Copyrights are exclusive rights to making copies of expression  Copyright protects intellectual property (IP) IP must be:  Original work  In some tangible medium of expression
  • 27. INTELLECTUAL PROPERTY RIGHT • Intellectual property rights are the legal rights that cover the privileges given to individuals who are the owners and inventors of a work, and have created something with their intellectual creativity. Individuals related to areas such as literature, music, invention, etc., can be granted such rights, which can then be used in the business practices by them. • The creator/inventor gets exclusive rights against any misuse or use of work without his/her prior information
  • 28. Types of Intellectual Property Rights • Copyright • Patent • Trade marks.
  • 29. Copyrights • Public domain- work owned by the public, (e.g. government) • Work must be original to the author • “fair use of a copyrighted work, including such use by reproduction I copies…for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship or research.” • New owner can give away or sell object
  • 30. Copyrights • Each copy mist be marked with the copyright symbol © or the word Copyright, the year and the author’s name • U.S. copyright lasts for 70 years beyond death of last surviving author or 95 years after publication for a company • Copyright Infringement • Copyrights for computer software (cannot copyright the algorithm) • You do not purchase a piece of software, just the license to use it. • Computer menu design can be copyrighted, but not “look and feel”
  • 31. Copyrights • In India, the law on copyright protection is contained in the Indian Copyright Act, 1957 – • which came into effect in January 1958. • This Act has been amended 5 times since then i.e.. In 1983, 1984,1992, 1994, 1999 & 2012. • The Copyright ( Amendment ) Act 2012 is the most substantial, bringing the digital environment into its purview.
  • 32. Subject Matter of Copyright • Copyright law protects "original works of authorship.“ • The work does not have to be the first of its kind, or novel • it just has to be the independent product of the author, not copied from another source. • Copyright is held by an author upon a work's creation and "fixation“ in tangible form, so that it can be perceived directly or with the aid of a machine or other device
  • 33. Contd.. • Works of authorship include the following categories (1)literary works; (2)musical works, including any accompanying words; (3)dramatic works, including any accompanying music; (4) choreographic works; (5)pictorial, graphic, and sculptural works; (6)motion pictures and other audiovisual works; (7)sound recordings; and (8)architectural works.
  • 34. What Copyright Protects • Original Literary, Dramatic, Musical and Artistic Works • Cinematograph Films • Sound Recordings
  • 35. Literary Works • Novels, poems, short stories • Books on any subject • Computer programmes, tables, computer databases • Song lyrics
  • 36. Computer Software Includes • Programme Manuals • Punched Cards • Magnetic Tapes/Discs • Computer printouts • Computer programmes
  • 37. Who owns the copyright? • Ordinarily, the creator does. However, if he or she creates the work in the course of employment or is retained under an appropriate contract to make the work, then the work is a "work made for hire," and the employer or the contracting party owns the copyright. Co-creators jointly own the copyright in the work they create together. • In some situations, when a work is created by a member of the University, Harvard policies vary the ownership that would otherwise result under copyright law.
  • 38. Can a copyright be transferred to someone else? • Like any other property, a copyright can be sold or given to someone else, who then becomes the owner of the copyright. A copyright is a bundle of exclusive rights, which can be transferred separately or all together. • A copyright owner can also retain the copyright but permit (or non-exclusively license) others to exercise some of the owner's rights. For example, a photographer might permit the use of one of her photographs on a book jacket.
  • 39. Permission to reproduce or disseminate someone else's copyrighted work? • Find the copyright owner and ask. There are no special forms that must be used, and permission can be oral or written, though it is good practice to obtain permission in writing. • The copyright owner is free to charge whatever fee he or she wishes, though the user is likewise free to try to negotiate a lower fee. • Most major publishers and periodicals have a "permissions desk" or a "rights editor," and a written request addressed in this way will usually find its way to the right person. • You should specify the publication you wish to take from; the precise pages, chapters, photographs or the like you want to use; how many copies you want to make; and the purpose of your use Many permissions desks accept requests by e-mail or through the publisher's website.
  • 40. Infringement • A copyright is infringed when one of the exclusive rights of the copyright holder is violated. • These include the right to reproduce a – copyrighted work, prepare derivative works based upon it, distribute copies by sale or other transfer of ownership, to perform and display it publicly, and to authorize others to do so – Three types of infringement – Direct infringement – Indirect infringement – Vicarious liabilities
  • 41. Direct Infringement • Direct infringement occurs when a person without authorizaton reproduces, distributes, displays, or performs a copyrighted work, or prepares a derivative work based on a copyrighted work. • direct copyright infringement, it does not matter. whether a direct profit is derived from the infringing works.
  • 42. Contributory Infringement • Liability for copyright infringement may be imposed on persons who have not themselves engaged in the infringing activity, but where it may be seen as "just to hold one individual accountable for the actions of another.“ • Contributory infringement occurs, for example, where a person "with knowledge of the infringing activity, induces, causes or materially contributes to the infringing conduct of another.“ • An Internet provider may be liable for contributory infringement, says the court, if it knows or should have known of the infringement and fails to do anything about it.
  • 43. Exclusive Rights • Copyright provides an author with a tool to protect a work from being taken, used, and exploited by others without permission. • The owner of a copyrighted work has the exclusive right – to reproduce it, – prepare derivative works based upon it, – distribute copies by sale or other transfer of ownership, – to perform and display it publicly, and – to authorize others to do so.
  • 44. Patents • Protect inventions, tangible objects, or ways to make them, not works of the mind. • Patent designed to protect the device or process for carrying out an idea, not the idea itself. • Patent goes to person who invented the object first • Algorithms are inventions and can be patented
  • 45. Patent • Patents give inventors the exclusive right to duplicate their invention’s design. Patents cover devices, formulas, tools, and anything that has utility. To get a patent, you must apply to the Patent Office and submit the invention’s design. You must show that the design is unique. A patent examiner will determine if you are entitled to a patent. If so, a patent is granted that prohibits anyone else from making, using, offering for sale, selling, or importing the invention. A patent lasts 20 years.
  • 46. Trademark • A trademark is a word, phrase, or logo that identifies a product, a service, or the person or company that offers a product or service to the public. You must apply to Trademark Office to register a federal trademark. If your trademark is registered, you can generally prevent anyone else from using a mark that may confuse the public about who offers the product or service.
  • 47. Trade Secrets • Information that gives one company a competitive edge over others • Reverse engineering – study finished object to determine how it is manufactured or how it works • Trade secret protection can apply to software
  • 48. Copyright v/s Patent v/s Trade mark • Copyright protects original works of authorship, • while a patent protects inventions or discoveries. • A trademark protects words, phrases, symbols, or designs identifying the source of the goods or services of one party and distinguishing them from those of others.
  • 49. Comparison table Copyright, Patent and Trade Secret Protection Copyright Patent Trade Secret Protects Expression of idea, not idea itself Invention—way something works Secret, competitive advantage Protected Object Made Public Yes; intention is to promote publication Design filed at Patent Office No Must Distribute Yes No No Ease of filing Very easy, do-it- yourself Very complicated; specialist lawyer suggested No filing Duration Originator’s life + 70 yrs; 95 y. For company 19 years Indefinite Legal Protection Sue if unauthorized copy sold Sue if invention copied/reinvented Sue if secret improperly obtained