SlideShare a Scribd company logo

Basic security concepts_chapter_1

Download as PPT, PDF
A
abdifatah said

network security

Education
1 of 26
TOPIC 1TOPIC 1 Basic Security ConceptsBasic Security Concepts
INTRODUCTIONINTRODUCTION  What is security?What is security? Security is about the protection of assets.Security is about the protection of assets. - Computer-related assets.- Computer-related assets. Computing system :- hardware, software,Computing system :- hardware, software, storage media, data and people.storage media, data and people.  Principle of Easiest PenetrationPrinciple of Easiest Penetration Intruder must be expected to use allIntruder must be expected to use all available means of penetration. Use theavailable means of penetration. Use the ‘weakest point’.‘weakest point’.
INTRODUCTIONINTRODUCTION  There are 3 classification of protection:There are 3 classification of protection: – PreventionPrevention: take measures that prevent your: take measures that prevent your assets from being damaged.assets from being damaged. – DetectionDetection: take measures that allow you to: take measures that allow you to detect when an asset has been damageddetect when an asset has been damaged – ReactionReaction: take measures that allow you to: take measures that allow you to recover your assets or to recover from damagerecover your assets or to recover from damage to your assets.to your assets.
 Example from physical world:Example from physical world: – PreventionPrevention: locks at the door or window bars,: locks at the door or window bars, wall around the propertywall around the property – DetectionDetection: you detect when something has been: you detect when something has been stolen if it is no longer there, a burglar alarmstolen if it is no longer there, a burglar alarm goes on when break-in occurs, cctv providegoes on when break-in occurs, cctv provide information that allows you to identify intrudersinformation that allows you to identify intruders – ReactionReaction: you can call the police or you may: you can call the police or you may decide to replace the stolen itemdecide to replace the stolen item INTRODUCTIONINTRODUCTION
INTRODUCTIONINTRODUCTION  Example from cyber world: consider credit card fraudExample from cyber world: consider credit card fraud cases.cases. – PreventionPrevention: use encryption when placing an order,: use encryption when placing an order, rely on the merchant to perform some checks on therely on the merchant to perform some checks on the caller before accepting a credit card order or don’tcaller before accepting a credit card order or don’t use credit card number on the Internet.use credit card number on the Internet. – DetectionDetection: a transaction that you had not authorized: a transaction that you had not authorized appears on your credit card statements.appears on your credit card statements. – ReactionReaction: you can ask for new credit card number,: you can ask for new credit card number, the cost of the fraudulent may be recovered by thethe cost of the fraudulent may be recovered by the card holder or the merchant where the fraudster hadcard holder or the merchant where the fraudster had made the purchase or the credit card issuer.made the purchase or the credit card issuer.
SECURITY GOALS SECURITY GOALS INTEGRITY: An assets can be modified only by authorized or only in authorized ways. CONFIDENTIALITY: an assets of computing systems are available only by authorized parties (also known as secrecy). AVAILABILITY : An assets are accessible to authorized parties when needed without any delay.
SECURITY THREATS INTERRUPTION: An asset of the system is destroyed or become unavailable or unusable – attack on AVAILABILTY INTERCEPTION: An unauthorized party (program, person, computer) gains access to an asset – attack on CONFIDENTIALITY MODIFICATION: An unauthorized party not only gain access to but tampers with an assets – attack on INTEGRITY FABRICATION: An unauthorized party insert counterfeit objects into the system – an attack on AUTHENTICITY
Information source Information destination INTERRUPTION Information source Information destination MODIFICATION Information source Information destination INTERCEPTION Information source Information destination FABRICATION Middle man Middle man Middle man SECURITY THREATS
Examples of security threats/attacks:Examples of security threats/attacks: Interruption ~ destruction of piece of hardware (hard disk) ~ cutting of communication line or ~ disabling of the file management system Interception ~ wiretapping ~ illicit copy of files or programs Modification ~ changing values in data file, ~ altering a program so that it performs differently, ~ modifying the content of messages being transmitted in a network. Fabrication ~ addition of records to a file, ~ insertion of spurious messages in a network
VulnerabilitiesVulnerabilities VulnerabilitiesVulnerabilities : a weaknesses in the: a weaknesses in the securitysecurity systemsystem that might be exploited to causethat might be exploited to cause loss or harm.loss or harm.
DATADATASOFTWARESOFTWARE HARDWAREHARDWARE Interception (Theft) Interruption (Denial of service) Interruption (Deletion) Interception (piracy) Modification Interruption (Loss) Interception Modification Fabrication Vulnerabilities in Computing Systems
VulnerabilitiesVulnerabilities Threats to Hardware • involuntary machine-slaughter: accidental acts not intended to do serious damage. • voluntary machine-slaughter: intended to do harm Threats to Software • deletion • modification – trojan horse, virus, trapdoor, logic bomb • theft - piracy
VulnerabilitiesVulnerabilities Threats to Data • loss of data •interception • modification • fabrication Threats to other exposed assets • storage media – consider backups • networks – very expose medium, access from distant • access – steal computer time, denial of service • key people – disgruntled employees
Methods of DefenseMethods of Defense Encryption provides ~ confidentiality for data ~ integrity ~ basis for protocol SOFTWARE/HARDWARE CONTROLSENCRYPTION POLICIES Software controls: ~ Internal program controls ~ Operating system controls ~ Development controls Hardware controls: ~ hardware devices : - smartcard (encryption) - circuit board ctrl disk drives in PCs~ frequent changes of password ~ training Legal and ethical controls ~ codes of ethics ~ locks of doors ~ backup copies of important s/w and data ~ physical site planning (reduce natural disasters) PHYSICAL CONTROLS METHODS OF DEFENSE METHODS OF DEFENSE
Who are the people?Who are the people?  AmateursAmateurs:: not career criminal but normal people who observe a flaw in a security system – have access to something valuable.  Crackers: may be university or high school students who attempt to access computing facilities for which they have not been authorized.  Career criminal: understands the targets of computer crime, international groups, electronic spies, information brokers.  Hackers: someone with deep knowledge and interest in operating systems or multiple OS. Do not attempt to intentionally break any system (non- malicious).
How to makes a systemHow to makes a system secure?secure? There are four methods how computer security provideThere are four methods how computer security provide protection:protection: (1)(1) System Access ControlSystem Access Control : ensuring that unauthorized: ensuring that unauthorized users don’t get into the system.users don’t get into the system. (2)(2) Data Access ControlData Access Control : monitoring who can access: monitoring who can access what data and for what purposes.what data and for what purposes. (3)(3) System and Security AdministrationSystem and Security Administration : performing: performing certain procedures (system administrator’s responsibilities orcertain procedures (system administrator’s responsibilities or training users appropriately)training users appropriately) (4)(4) System DesignSystem Design: Taking advantage of basic hardware: Taking advantage of basic hardware and software security characteristics.and software security characteristics.
System Access ControlSystem Access Control  The first way in which system provides computerThe first way in which system provides computer security is by controlling access to that system:security is by controlling access to that system: – Who’s allowed to log in?Who’s allowed to log in? – How does the system decide whether a user is legitimate?How does the system decide whether a user is legitimate?  Identification and authentication provides theIdentification and authentication provides the above.above.
Identification & AutheticationIdentification & Authetication  IdentificationIdentification tells the system who you aretells the system who you are  AuthenticationAuthentication proves to the system that you areproves to the system that you are who you are.who you are.  There are 3 ways to prove ourselves:There are 3 ways to prove ourselves: – Something you knowSomething you know – Something you haveSomething you have – Something you areSomething you are System Access ControlSystem Access Control
e.g.: password ~ you know the password, you the owner IDENTIFICATION & AUTHENTICATION IDENTIFICATION & AUTHENTICATION SOMETHING YOU HAVE SOMETHING YOU KNOW SOMETHING YOU ARE e.g.: tokens, keys & smart cards ~ you have the key, you must be the owner of it e.g: fingerprints, retina pattern, handprint etc.
Username and PasswordUsername and Password  Typical first line of defenseTypical first line of defense  User name (Login ID) – identificationUser name (Login ID) – identification  Password – authenticationPassword – authentication  Login will succeed if you entered a valid user nameLogin will succeed if you entered a valid user name and corresponding password.and corresponding password. System Access ControlSystem Access Control
 User plays an important role inUser plays an important role in password protection – authenticationpassword protection – authentication is compromised when you gave awayis compromised when you gave away your own password by telling others.your own password by telling others. Common threats on password:Common threats on password: – Password guessing: exhaustive searchPassword guessing: exhaustive search and intelligent searchand intelligent search – Password spoofingPassword spoofing – Compromise of the password fileCompromise of the password file System Access ControlSystem Access Control
 How we can defend password security:How we can defend password security: – Compulsory to set a passwordCompulsory to set a password – Change default passwordChange default password – Password lengthPassword length – Password formatPassword format – Avoid obvious passwordsAvoid obvious passwords  How system help to improve password security:How system help to improve password security: – Password checkersPassword checkers – Password generationPassword generation – Password ageingPassword ageing – Limit login attemptsLimit login attempts – Inform usersInform users System Access ControlSystem Access Control
Data Access ControlData Access Control  On the most elementary level, a subjectOn the most elementary level, a subject may observe an object or alter an object,may observe an object or alter an object, therefore the common access modes aretherefore the common access modes are defined as below:defined as below: – Observe: look at the contents of an objectObserve: look at the contents of an object – Change: change the contents of an objectChange: change the contents of an object
Data Access ControlData Access Control Observe Change execute append read write √ √ √ √ Access rights in the Bell-LaPadula model {execute, read, write} Alice Bill bill.doc edit.exe fun.com {read, write} {execute} {execute} {execute, read} - An access control matrix
Effectiveness of ControlsEffectiveness of Controls  Awareness of ProblemsAwareness of Problems : people will cooperate: people will cooperate with security requirements only if they understandwith security requirements only if they understand why security is appropriate in each specificwhy security is appropriate in each specific situation.situation.  Likelihood of useLikelihood of use : controls must be used to be: controls must be used to be effective – therefore it must be easy to use andeffective – therefore it must be easy to use and appropriate.appropriate.  Overlapping controlsOverlapping controls : combinations of control: combinations of control on one exposure.on one exposure.  Periodic reviewPeriodic review: ongoing task in judging the: ongoing task in judging the effectiveness of a control.effectiveness of a control.
The EndThe End

Recommended

FILE STRUCTURE IN DBMS
FILE STRUCTURE IN DBMSFILE STRUCTURE IN DBMS
FILE STRUCTURE IN DBMSAbhishek Dutta
 
Incident Reporting System
Incident Reporting SystemIncident Reporting System
Incident Reporting SystemSheikh Faiyaz
 
Cloud computing in a nutshell
Cloud computing in a nutshellCloud computing in a nutshell
Cloud computing in a nutshellMehmet Gonullu
 
Validation controls in asp
Validation controls in aspValidation controls in asp
Validation controls in aspShishir Jain
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber SecurityNikunj Thakkar
 
Cloud computing (IT-703) UNIT 1 & 2
Cloud computing (IT-703) UNIT 1 & 2Cloud computing (IT-703) UNIT 1 & 2
Cloud computing (IT-703) UNIT 1 & 2Jitendra s Rathore
 
Operating system security
Operating system securityOperating system security
Operating system securityRachel Jeewa
 
Cyber security and Hacking
Cyber security and HackingCyber security and Hacking
Cyber security and HackingParth Makadiya
 

Recommended

FILE STRUCTURE IN DBMS
FILE STRUCTURE IN DBMSFILE STRUCTURE IN DBMS
FILE STRUCTURE IN DBMSAbhishek Dutta
 
Incident Reporting System
Incident Reporting SystemIncident Reporting System
Incident Reporting SystemSheikh Faiyaz
 
Cloud computing in a nutshell
Cloud computing in a nutshellCloud computing in a nutshell
Cloud computing in a nutshellMehmet Gonullu
 
Validation controls in asp
Validation controls in aspValidation controls in asp
Validation controls in aspShishir Jain
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber SecurityNikunj Thakkar
 
Cloud computing (IT-703) UNIT 1 & 2
Cloud computing (IT-703) UNIT 1 & 2Cloud computing (IT-703) UNIT 1 & 2
Cloud computing (IT-703) UNIT 1 & 2Jitendra s Rathore
 
Operating system security
Operating system securityOperating system security
Operating system securityRachel Jeewa
 
Cyber security and Hacking
Cyber security and HackingCyber security and Hacking
Cyber security and HackingParth Makadiya
 
Network Security: Physical security
Network Security: Physical security Network Security: Physical security
Network Security: Physical security lalithambiga kamaraj
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud ComputingKeet Sugathadasa
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptxkishore golla
 
Cyber Security Introduction.pptx
Cyber Security Introduction.pptxCyber Security Introduction.pptx
Cyber Security Introduction.pptxANIKETKUMARSHARMA3
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Crucial decisions in designing a data warehouse
Crucial decisions in designing a data warehouseCrucial decisions in designing a data warehouse
Crucial decisions in designing a data warehouseManju Rajput
 
Cloud and dynamic infrastructure
Cloud and dynamic infrastructureCloud and dynamic infrastructure
Cloud and dynamic infrastructuregaurav jain
 
Network security model.pptx
Network security model.pptxNetwork security model.pptx
Network security model.pptxssuserd24233
 
Cyber security and current trends
Cyber security and current trendsCyber security and current trends
Cyber security and current trendsShreedeep Rayamajhi
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksInformation Technology
 
Virtualization security
Virtualization securityVirtualization security
Virtualization securityAhmed Nour
 
Cloud computing and Cloud Enabling Technologies
Cloud computing and Cloud Enabling TechnologiesCloud computing and Cloud Enabling Technologies
Cloud computing and Cloud Enabling TechnologiesAbdelkhalik Mosa
 
Computer security overview
Computer security overviewComputer security overview
Computer security overviewCAS
 
Network security
Network securityNetwork security
Network securityAli Kamil
 
Data center virtualization
Data center virtualizationData center virtualization
Data center virtualizationmazin Salih
 
Asset, Threat, Vulnerability, Risk
Asset, Threat, Vulnerability, RiskAsset, Threat, Vulnerability, Risk
Asset, Threat, Vulnerability, RiskVinay Attry
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpagenakomuri
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)Ali Habeeb
 

More Related Content

What's hot

Network Security: Physical security
Network Security: Physical security Network Security: Physical security
Network Security: Physical security lalithambiga kamaraj
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud ComputingKeet Sugathadasa
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptxkishore golla
 
Cyber Security Introduction.pptx
Cyber Security Introduction.pptxCyber Security Introduction.pptx
Cyber Security Introduction.pptxANIKETKUMARSHARMA3
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Crucial decisions in designing a data warehouse
Crucial decisions in designing a data warehouseCrucial decisions in designing a data warehouse
Crucial decisions in designing a data warehouseManju Rajput
 
Cloud and dynamic infrastructure
Cloud and dynamic infrastructureCloud and dynamic infrastructure
Cloud and dynamic infrastructuregaurav jain
 
Network security model.pptx
Network security model.pptxNetwork security model.pptx
Network security model.pptxssuserd24233
 
Cyber security and current trends
Cyber security and current trendsCyber security and current trends
Cyber security and current trendsShreedeep Rayamajhi
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksInformation Technology
 
Virtualization security
Virtualization securityVirtualization security
Virtualization securityAhmed Nour
 
Cloud computing and Cloud Enabling Technologies
Cloud computing and Cloud Enabling TechnologiesCloud computing and Cloud Enabling Technologies
Cloud computing and Cloud Enabling TechnologiesAbdelkhalik Mosa
 
Computer security overview
Computer security overviewComputer security overview
Computer security overviewCAS
 
Network security
Network securityNetwork security
Network securityAli Kamil
 
Data center virtualization
Data center virtualizationData center virtualization
Data center virtualizationmazin Salih
 
Asset, Threat, Vulnerability, Risk
Asset, Threat, Vulnerability, RiskAsset, Threat, Vulnerability, Risk
Asset, Threat, Vulnerability, RiskVinay Attry
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 

What's hot (20)

Network Security: Physical security
Network Security: Physical security Network Security: Physical security
Network Security: Physical security
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptx
 
Cyber Security Introduction.pptx
Cyber Security Introduction.pptxCyber Security Introduction.pptx
Cyber Security Introduction.pptx
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
Information security management
Information security managementInformation security management
Information security management
 
Crucial decisions in designing a data warehouse
Crucial decisions in designing a data warehouseCrucial decisions in designing a data warehouse
Crucial decisions in designing a data warehouse
 
Cloud and dynamic infrastructure
Cloud and dynamic infrastructureCloud and dynamic infrastructure
Cloud and dynamic infrastructure
 
Network security model.pptx
Network security model.pptxNetwork security model.pptx
Network security model.pptx
 
Cyber security and current trends
Cyber security and current trendsCyber security and current trends
Cyber security and current trends
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and Attacks
 
Virtualization security
Virtualization securityVirtualization security
Virtualization security
 
Cloud computing and Cloud Enabling Technologies
Cloud computing and Cloud Enabling TechnologiesCloud computing and Cloud Enabling Technologies
Cloud computing and Cloud Enabling Technologies
 
Computer security overview
Computer security overviewComputer security overview
Computer security overview
 
Network security
Network securityNetwork security
Network security
 
Data center virtualization
Data center virtualizationData center virtualization
Data center virtualization
 
Asset, Threat, Vulnerability, Risk
Asset, Threat, Vulnerability, RiskAsset, Threat, Vulnerability, Risk
Asset, Threat, Vulnerability, Risk
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 

Similar to Basic security concepts_chapter_1

Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpagenakomuri
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)Ali Habeeb
 
E sec chaptr-1
E sec chaptr-1E sec chaptr-1
E sec chaptr-1123aleena
 
informations_security_presentations.pptx
informations_security_presentations.pptxinformations_security_presentations.pptx
informations_security_presentations.pptxFAKHARZAMANPROUD
 
information security importance and use.ppt
information security importance and use.pptinformation security importance and use.ppt
information security importance and use.pptMuhammadAbdullah311866
 
IS L07 - Security, Ethics and Privacy
IS L07 - Security, Ethics and PrivacyIS L07 - Security, Ethics and Privacy
IS L07 - Security, Ethics and PrivacyJan Wong
 
chapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdfchapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdfsatonaka3
 
Data information and security unit 1.pdf
Data information and security unit 1.pdfData information and security unit 1.pdf
Data information and security unit 1.pdfdeepakbharathi16
 
Information security and other issues
Information security and other issuesInformation security and other issues
Information security and other issuesHaseeb Ahmed Awan
 
MIS part 4_CH 11.ppt
MIS part 4_CH 11.pptMIS part 4_CH 11.ppt
MIS part 4_CH 11.pptEndAlk15
 
Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011lbcollins18
 
Legal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing InformaticsLegal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing InformaticsKimarie Brown
 

Similar to Basic security concepts_chapter_1 (20)

Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpage
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)
 
Iss lecture 1
Iss lecture 1Iss lecture 1
Iss lecture 1
 
Intro
IntroIntro
Intro
 
Network Security
Network Security Network Security
Network Security
 
E sec chaptr-1
E sec chaptr-1E sec chaptr-1
E sec chaptr-1
 
informations_security_presentations.pptx
informations_security_presentations.pptxinformations_security_presentations.pptx
informations_security_presentations.pptx
 
Unit v
Unit vUnit v
Unit v
 
Lecture15.ppt
Lecture15.pptLecture15.ppt
Lecture15.ppt
 
information security importance and use.ppt
information security importance and use.pptinformation security importance and use.ppt
information security importance and use.ppt
 
IS L07 - Security, Ethics and Privacy
IS L07 - Security, Ethics and PrivacyIS L07 - Security, Ethics and Privacy
IS L07 - Security, Ethics and Privacy
 
chapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdfchapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdf
 
IS Unit II.pptx
IS Unit II.pptxIS Unit II.pptx
IS Unit II.pptx
 
Data information and security unit 1.pdf
Data information and security unit 1.pdfData information and security unit 1.pdf
Data information and security unit 1.pdf
 
Information security and other issues
Information security and other issuesInformation security and other issues
Information security and other issues
 
Computer security
Computer securityComputer security
Computer security
 
Cyber Security Briefing
Cyber Security BriefingCyber Security Briefing
Cyber Security Briefing
 
MIS part 4_CH 11.ppt
MIS part 4_CH 11.pptMIS part 4_CH 11.ppt
MIS part 4_CH 11.ppt
 
Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011
 
Legal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing InformaticsLegal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing Informatics
 

Recently uploaded

MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
Planning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptxPlanning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptxLigayaBacuel1
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationAadityaSharma884161
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 

Recently uploaded (20)

MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
Planning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptxPlanning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint Presentation
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 

Basic security concepts_chapter_1

  • 1. TOPIC 1TOPIC 1 Basic Security ConceptsBasic Security Concepts
  • 2. INTRODUCTIONINTRODUCTION  What is security?What is security? Security is about the protection of assets.Security is about the protection of assets. - Computer-related assets.- Computer-related assets. Computing system :- hardware, software,Computing system :- hardware, software, storage media, data and people.storage media, data and people.  Principle of Easiest PenetrationPrinciple of Easiest Penetration Intruder must be expected to use allIntruder must be expected to use all available means of penetration. Use theavailable means of penetration. Use the ‘weakest point’.‘weakest point’.
  • 3. INTRODUCTIONINTRODUCTION  There are 3 classification of protection:There are 3 classification of protection: – PreventionPrevention: take measures that prevent your: take measures that prevent your assets from being damaged.assets from being damaged. – DetectionDetection: take measures that allow you to: take measures that allow you to detect when an asset has been damageddetect when an asset has been damaged – ReactionReaction: take measures that allow you to: take measures that allow you to recover your assets or to recover from damagerecover your assets or to recover from damage to your assets.to your assets.
  • 4.  Example from physical world:Example from physical world: – PreventionPrevention: locks at the door or window bars,: locks at the door or window bars, wall around the propertywall around the property – DetectionDetection: you detect when something has been: you detect when something has been stolen if it is no longer there, a burglar alarmstolen if it is no longer there, a burglar alarm goes on when break-in occurs, cctv providegoes on when break-in occurs, cctv provide information that allows you to identify intrudersinformation that allows you to identify intruders – ReactionReaction: you can call the police or you may: you can call the police or you may decide to replace the stolen itemdecide to replace the stolen item INTRODUCTIONINTRODUCTION
  • 5. INTRODUCTIONINTRODUCTION  Example from cyber world: consider credit card fraudExample from cyber world: consider credit card fraud cases.cases. – PreventionPrevention: use encryption when placing an order,: use encryption when placing an order, rely on the merchant to perform some checks on therely on the merchant to perform some checks on the caller before accepting a credit card order or don’tcaller before accepting a credit card order or don’t use credit card number on the Internet.use credit card number on the Internet. – DetectionDetection: a transaction that you had not authorized: a transaction that you had not authorized appears on your credit card statements.appears on your credit card statements. – ReactionReaction: you can ask for new credit card number,: you can ask for new credit card number, the cost of the fraudulent may be recovered by thethe cost of the fraudulent may be recovered by the card holder or the merchant where the fraudster hadcard holder or the merchant where the fraudster had made the purchase or the credit card issuer.made the purchase or the credit card issuer.
  • 6. SECURITY GOALS SECURITY GOALS INTEGRITY: An assets can be modified only by authorized or only in authorized ways. CONFIDENTIALITY: an assets of computing systems are available only by authorized parties (also known as secrecy). AVAILABILITY : An assets are accessible to authorized parties when needed without any delay.
  • 7. SECURITY THREATS INTERRUPTION: An asset of the system is destroyed or become unavailable or unusable – attack on AVAILABILTY INTERCEPTION: An unauthorized party (program, person, computer) gains access to an asset – attack on CONFIDENTIALITY MODIFICATION: An unauthorized party not only gain access to but tampers with an assets – attack on INTEGRITY FABRICATION: An unauthorized party insert counterfeit objects into the system – an attack on AUTHENTICITY
  • 9. Examples of security threats/attacks:Examples of security threats/attacks: Interruption ~ destruction of piece of hardware (hard disk) ~ cutting of communication line or ~ disabling of the file management system Interception ~ wiretapping ~ illicit copy of files or programs Modification ~ changing values in data file, ~ altering a program so that it performs differently, ~ modifying the content of messages being transmitted in a network. Fabrication ~ addition of records to a file, ~ insertion of spurious messages in a network
  • 10. VulnerabilitiesVulnerabilities VulnerabilitiesVulnerabilities : a weaknesses in the: a weaknesses in the securitysecurity systemsystem that might be exploited to causethat might be exploited to cause loss or harm.loss or harm.
  • 12. VulnerabilitiesVulnerabilities Threats to Hardware • involuntary machine-slaughter: accidental acts not intended to do serious damage. • voluntary machine-slaughter: intended to do harm Threats to Software • deletion • modification – trojan horse, virus, trapdoor, logic bomb • theft - piracy
  • 13. VulnerabilitiesVulnerabilities Threats to Data • loss of data •interception • modification • fabrication Threats to other exposed assets • storage media – consider backups • networks – very expose medium, access from distant • access – steal computer time, denial of service • key people – disgruntled employees
  • 14. Methods of DefenseMethods of Defense Encryption provides ~ confidentiality for data ~ integrity ~ basis for protocol SOFTWARE/HARDWARE CONTROLSENCRYPTION POLICIES Software controls: ~ Internal program controls ~ Operating system controls ~ Development controls Hardware controls: ~ hardware devices : - smartcard (encryption) - circuit board ctrl disk drives in PCs~ frequent changes of password ~ training Legal and ethical controls ~ codes of ethics ~ locks of doors ~ backup copies of important s/w and data ~ physical site planning (reduce natural disasters) PHYSICAL CONTROLS METHODS OF DEFENSE METHODS OF DEFENSE
  • 15. Who are the people?Who are the people?  AmateursAmateurs:: not career criminal but normal people who observe a flaw in a security system – have access to something valuable.  Crackers: may be university or high school students who attempt to access computing facilities for which they have not been authorized.  Career criminal: understands the targets of computer crime, international groups, electronic spies, information brokers.  Hackers: someone with deep knowledge and interest in operating systems or multiple OS. Do not attempt to intentionally break any system (non- malicious).
  • 16. How to makes a systemHow to makes a system secure?secure? There are four methods how computer security provideThere are four methods how computer security provide protection:protection: (1)(1) System Access ControlSystem Access Control : ensuring that unauthorized: ensuring that unauthorized users don’t get into the system.users don’t get into the system. (2)(2) Data Access ControlData Access Control : monitoring who can access: monitoring who can access what data and for what purposes.what data and for what purposes. (3)(3) System and Security AdministrationSystem and Security Administration : performing: performing certain procedures (system administrator’s responsibilities orcertain procedures (system administrator’s responsibilities or training users appropriately)training users appropriately) (4)(4) System DesignSystem Design: Taking advantage of basic hardware: Taking advantage of basic hardware and software security characteristics.and software security characteristics.
  • 17. System Access ControlSystem Access Control  The first way in which system provides computerThe first way in which system provides computer security is by controlling access to that system:security is by controlling access to that system: – Who’s allowed to log in?Who’s allowed to log in? – How does the system decide whether a user is legitimate?How does the system decide whether a user is legitimate?  Identification and authentication provides theIdentification and authentication provides the above.above.
  • 18. Identification & AutheticationIdentification & Authetication  IdentificationIdentification tells the system who you aretells the system who you are  AuthenticationAuthentication proves to the system that you areproves to the system that you are who you are.who you are.  There are 3 ways to prove ourselves:There are 3 ways to prove ourselves: – Something you knowSomething you know – Something you haveSomething you have – Something you areSomething you are System Access ControlSystem Access Control
  • 19. e.g.: password ~ you know the password, you the owner IDENTIFICATION & AUTHENTICATION IDENTIFICATION & AUTHENTICATION SOMETHING YOU HAVE SOMETHING YOU KNOW SOMETHING YOU ARE e.g.: tokens, keys & smart cards ~ you have the key, you must be the owner of it e.g: fingerprints, retina pattern, handprint etc.
  • 20. Username and PasswordUsername and Password  Typical first line of defenseTypical first line of defense  User name (Login ID) – identificationUser name (Login ID) – identification  Password – authenticationPassword – authentication  Login will succeed if you entered a valid user nameLogin will succeed if you entered a valid user name and corresponding password.and corresponding password. System Access ControlSystem Access Control
  • 21.  User plays an important role inUser plays an important role in password protection – authenticationpassword protection – authentication is compromised when you gave awayis compromised when you gave away your own password by telling others.your own password by telling others. Common threats on password:Common threats on password: – Password guessing: exhaustive searchPassword guessing: exhaustive search and intelligent searchand intelligent search – Password spoofingPassword spoofing – Compromise of the password fileCompromise of the password file System Access ControlSystem Access Control
  • 22.  How we can defend password security:How we can defend password security: – Compulsory to set a passwordCompulsory to set a password – Change default passwordChange default password – Password lengthPassword length – Password formatPassword format – Avoid obvious passwordsAvoid obvious passwords  How system help to improve password security:How system help to improve password security: – Password checkersPassword checkers – Password generationPassword generation – Password ageingPassword ageing – Limit login attemptsLimit login attempts – Inform usersInform users System Access ControlSystem Access Control
  • 23. Data Access ControlData Access Control  On the most elementary level, a subjectOn the most elementary level, a subject may observe an object or alter an object,may observe an object or alter an object, therefore the common access modes aretherefore the common access modes are defined as below:defined as below: – Observe: look at the contents of an objectObserve: look at the contents of an object – Change: change the contents of an objectChange: change the contents of an object
  • 24. Data Access ControlData Access Control Observe Change execute append read write √ √ √ √ Access rights in the Bell-LaPadula model {execute, read, write} Alice Bill bill.doc edit.exe fun.com {read, write} {execute} {execute} {execute, read} - An access control matrix
  • 25. Effectiveness of ControlsEffectiveness of Controls  Awareness of ProblemsAwareness of Problems : people will cooperate: people will cooperate with security requirements only if they understandwith security requirements only if they understand why security is appropriate in each specificwhy security is appropriate in each specific situation.situation.  Likelihood of useLikelihood of use : controls must be used to be: controls must be used to be effective – therefore it must be easy to use andeffective – therefore it must be easy to use and appropriate.appropriate.  Overlapping controlsOverlapping controls : combinations of control: combinations of control on one exposure.on one exposure.  Periodic reviewPeriodic review: ongoing task in judging the: ongoing task in judging the effectiveness of a control.effectiveness of a control.