PG
Uploaded byPrachi Gulihar
1,778 views

Administering security

This document discusses various legal, privacy, and ethical issues related to computer security. It begins by explaining the differences between legal and ethical issues, noting that legal issues have definitive answers determined by others, while ethical issues require determining your own course of action. The document then provides overviews of intellectual property rights like copyrights, patents, and trademarks. It explains what types of works copyright protects, how long copyright lasts, and what constitutes infringement. It also discusses how patents protect inventions and processes, not ideas. Finally, the document compares key aspects of copyright, patent, and trade secret protection.

Embed presentation

Administering Security Unit-6
Index • Risk analysis • Legal, Privacy & Ethical issues • Computer Security: Protecting Programs and Data
Security in System Development • Risk Analysis & Management needs to be a part of system development, not tacked on afterwards • Baskerville's three generations of methods 1st Generation: Checklists Example: BS 7799 Part 1 2nd Generation: Mechanistic engineering methods Example: this risk analysis method 3rd Generation: Integrated design Not yet achieved
Risk Analysis and Management Framework Assets Threats Vulnerabilities Risks Security Measures } } Analysis Management
Definitions 1 The meanings of terms in this area is not universally agreed. We will use the following • Threat: Harm that can happen to an asset • Impact: A measure of the seriousness of a threat • Attack: A threatening event • Attacker: The agent causing an attack (not necessarily human) • Vulnerability: a weakness in the system that makes an attack more likely to succeed • Risk: a quantified measure of the likelihood of a threat being realised
Definitions 2 • Risk Analysis involves the identification and assessment of the levels of risk, calculated from the – Values of assets – Threats to the assets – Their vulnerabilities and likelihood of exploitation • Risk Management involves the identification, selection and adoption of security measures justified by – The identified risks to assets – The reduction of these risks to acceptable levels
Goals of Risk Analysis • All assets have been identified • All threats have been identified – Their impact on assets has been valued • All vulnerabilities have been identified and assessed
Problems of Measuring Risk Businesses normally wish to measure in money, but • Many of the entities do not allow this – Valuation of assets • Value of data and in-house software - no market value • Value of goodwill and customer confidence – Likelihood of threats • How relevant is past data to the calculation of future probabilities? – The nature of future attacks is unpredictable – The actions of future attackers are unpredictable – Measurement of benefit from security measures • Problems with the difference of two approximate quantities – How does an extra security measure affect a ~10-5 probability of attack?
Risk Levels • Precise monetary values give a false precision • Better to use levels, e.g. – High, Medium, Low • High: major impact on the organisation • Medium: noticeable impact (“material” in auditing terms) • Low: can be absorbed without difficulty – 1 - 10 • Express money values in levels, e.g. – For a large University Department a possibility is • High • Medium • Low
Risk Analysis Steps • Decide on scope of analysis – Set the system boundary • Identification of assets & business processes • Identification of threats and valuation of their impact on assets (impact valuation) • Identification and assessment of vulnerabilities to threats • Risk assessment
Risk Analysis – Defining the Scope • Draw a context diagram • Decide on the boundary – It will rarely be the computer! • Make explicit assumptions about the security of neighbouring domains – Verify them!
Risk Analysis - Identification of Assets • Types of asset – Hardware – Software: purchased or developed programs – Data – People: who run the system – Documentation: manuals, administrative procedures, etc – Supplies: paper forms, magnetic media, printer liquid, etc – Money – Intangibles • Goodwill • Organisation confidence • Organisation image
Risk Analysis – Impact Valuation Identification and valuation of threats - for each group of assets • Identify threats, e.g. for stored data – Loss of confidentiality – Loss of integrity – Loss of completeness – Loss of availability (Denial of Service) • For many asset types the only threat is loss of availability • Assess impact of threat – Assess in levels, e.g H-M-L or 1 - 10 – This gives the valuation of the asset in the face of the threat
Risk Analysis – Process Analysis • Every company or organisation has some processes that are critical to its operation • The criticality of a process may increase the impact valuation of one or more assets identified So • Identify critical processes • Review assets needed for critical processes • Revise impact valuation of these assets
Risk Analysis – Vulnerabilities 1 • Identify vulnerabilities against a baseline system – For risk analysis of an existing system • Existing system with its known security measures and weaknesses – For development of a new system • Security facilities of the envisaged software, e.g. Windows NT • Standard good practice, e.g. BS 7799 recommendations of good practice
Risk Analysis – Vulnerabilities 2 For each threat • Identify vulnerabilities – How to exploit a threat successfully; • Assess levels of likelihood - High, Medium, Low – Of attempt • Expensive attacks are less likely (e.g. brute-force attacks on encryption keys) – Successful exploitation of vulnerability; • Combine them Likelihood of Attempt Likelihood of Success Low Low Low Med Med Low Med High HighHigh High Med Med Low Low
Responses to Risk Responses to risk • Avoid it completely by withdrawing from an activity • Accept it and do nothing • Reduce it with security measures
Security Measures Possible security measures • Transfer the risk, e.g. insurance • Reduce vulnerability – Reduce likelihood of attempt • e.g. publicise security measures in order to deter attackers • e.g. competitive approach - the lion-hunter’s approach to security – Reduce likelihood of success by preventive measures • e.g. access control, encryption, firewall • Reduce impact, e.g. use fire extinguisher / firewall • Recovery measures, e.g. restoration from backup
Problems of Risk Analysis and Management • Lack of precision • Volume of work and volume of output • Integrating them into a ”normal” development process
Legal, Privacy, and Ethical Issues in Computer Security • Program and data protection by patents, copyrights, and trademarks • Computer Crime • Privacy • Ethical Analysis of computer security situations • Codes of professional ethics
Motivation for studying legal issues • Know what protection the law provides for computers and data • Appreciate laws that protect the rights of others with respect to computers, programs, and data • Understand existing laws as a basis for recommending new laws to protect compuuters, programs, and data
Aspects of Protection of the security of computers • Protecting computing systems against criminals • Protecting code and data (copyright...) • Protecting programmers’ and employers’ rights • Protecting private data about individuals • Protecting users of programs
23 Ethical vs. Legal Issues • Q: What’s the difference between a legal issue and an ethical issue? • How do you determine which it is? • Should you care which it is? • What percentage of your time would you guess that you will spend dealing with ethical or legal issues?
24 Ethical vs. Legal Issues • Legal issues: – Sometimes have a definitive answer – Determination is made by others (not you) • Ethical issues: – Sometimes have a definitive answer – You determine your course of action • The law doesn’t make it “right” • Being “right” doesn’t make it legal
Basic Legal Issues a) Protecting Programs and Data b) Information and the Law c) Ownership Rights of Employees and Employers d) Software Failures (and Customers)
Protecting Programs and Data  Copyrights — designed to protect expression of ideas (creative works of the mind)  Ideas themselves are free  Different people can have the same idea  The way of expressing ideas is copyrighted  Copyrights are exclusive rights to making copies of expression  Copyright protects intellectual property (IP) IP must be:  Original work  In some tangible medium of expression
INTELLECTUAL PROPERTY RIGHT • Intellectual property rights are the legal rights that cover the privileges given to individuals who are the owners and inventors of a work, and have created something with their intellectual creativity. Individuals related to areas such as literature, music, invention, etc., can be granted such rights, which can then be used in the business practices by them. • The creator/inventor gets exclusive rights against any misuse or use of work without his/her prior information
Types of Intellectual Property Rights • Copyright • Patent • Trade marks.
Copyrights • Public domain- work owned by the public, (e.g. government) • Work must be original to the author • “fair use of a copyrighted work, including such use by reproduction I copies…for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship or research.” • New owner can give away or sell object
Copyrights • Each copy mist be marked with the copyright symbol © or the word Copyright, the year and the author’s name • U.S. copyright lasts for 70 years beyond death of last surviving author or 95 years after publication for a company • Copyright Infringement • Copyrights for computer software (cannot copyright the algorithm) • You do not purchase a piece of software, just the license to use it. • Computer menu design can be copyrighted, but not “look and feel”
Copyrights • In India, the law on copyright protection is contained in the Indian Copyright Act, 1957 – • which came into effect in January 1958. • This Act has been amended 5 times since then i.e.. In 1983, 1984,1992, 1994, 1999 & 2012. • The Copyright ( Amendment ) Act 2012 is the most substantial, bringing the digital environment into its purview.
Subject Matter of Copyright • Copyright law protects "original works of authorship.“ • The work does not have to be the first of its kind, or novel • it just has to be the independent product of the author, not copied from another source. • Copyright is held by an author upon a work's creation and "fixation“ in tangible form, so that it can be perceived directly or with the aid of a machine or other device
Contd.. • Works of authorship include the following categories (1)literary works; (2)musical works, including any accompanying words; (3)dramatic works, including any accompanying music; (4) choreographic works; (5)pictorial, graphic, and sculptural works; (6)motion pictures and other audiovisual works; (7)sound recordings; and (8)architectural works.
What Copyright Protects • Original Literary, Dramatic, Musical and Artistic Works • Cinematograph Films • Sound Recordings
Literary Works • Novels, poems, short stories • Books on any subject • Computer programmes, tables, computer databases • Song lyrics
Computer Software Includes • Programme Manuals • Punched Cards • Magnetic Tapes/Discs • Computer printouts • Computer programmes
Who owns the copyright? • Ordinarily, the creator does. However, if he or she creates the work in the course of employment or is retained under an appropriate contract to make the work, then the work is a "work made for hire," and the employer or the contracting party owns the copyright. Co-creators jointly own the copyright in the work they create together. • In some situations, when a work is created by a member of the University, Harvard policies vary the ownership that would otherwise result under copyright law.
Can a copyright be transferred to someone else? • Like any other property, a copyright can be sold or given to someone else, who then becomes the owner of the copyright. A copyright is a bundle of exclusive rights, which can be transferred separately or all together. • A copyright owner can also retain the copyright but permit (or non-exclusively license) others to exercise some of the owner's rights. For example, a photographer might permit the use of one of her photographs on a book jacket.
Permission to reproduce or disseminate someone else's copyrighted work? • Find the copyright owner and ask. There are no special forms that must be used, and permission can be oral or written, though it is good practice to obtain permission in writing. • The copyright owner is free to charge whatever fee he or she wishes, though the user is likewise free to try to negotiate a lower fee. • Most major publishers and periodicals have a "permissions desk" or a "rights editor," and a written request addressed in this way will usually find its way to the right person. • You should specify the publication you wish to take from; the precise pages, chapters, photographs or the like you want to use; how many copies you want to make; and the purpose of your use Many permissions desks accept requests by e-mail or through the publisher's website.
Infringement • A copyright is infringed when one of the exclusive rights of the copyright holder is violated. • These include the right to reproduce a – copyrighted work, prepare derivative works based upon it, distribute copies by sale or other transfer of ownership, to perform and display it publicly, and to authorize others to do so – Three types of infringement – Direct infringement – Indirect infringement – Vicarious liabilities
Direct Infringement • Direct infringement occurs when a person without authorizaton reproduces, distributes, displays, or performs a copyrighted work, or prepares a derivative work based on a copyrighted work. • direct copyright infringement, it does not matter. whether a direct profit is derived from the infringing works.
Contributory Infringement • Liability for copyright infringement may be imposed on persons who have not themselves engaged in the infringing activity, but where it may be seen as "just to hold one individual accountable for the actions of another.“ • Contributory infringement occurs, for example, where a person "with knowledge of the infringing activity, induces, causes or materially contributes to the infringing conduct of another.“ • An Internet provider may be liable for contributory infringement, says the court, if it knows or should have known of the infringement and fails to do anything about it.
Exclusive Rights • Copyright provides an author with a tool to protect a work from being taken, used, and exploited by others without permission. • The owner of a copyrighted work has the exclusive right – to reproduce it, – prepare derivative works based upon it, – distribute copies by sale or other transfer of ownership, – to perform and display it publicly, and – to authorize others to do so.
Patents • Protect inventions, tangible objects, or ways to make them, not works of the mind. • Patent designed to protect the device or process for carrying out an idea, not the idea itself. • Patent goes to person who invented the object first • Algorithms are inventions and can be patented
Patent • Patents give inventors the exclusive right to duplicate their invention’s design. Patents cover devices, formulas, tools, and anything that has utility. To get a patent, you must apply to the Patent Office and submit the invention’s design. You must show that the design is unique. A patent examiner will determine if you are entitled to a patent. If so, a patent is granted that prohibits anyone else from making, using, offering for sale, selling, or importing the invention. A patent lasts 20 years.
Trademark • A trademark is a word, phrase, or logo that identifies a product, a service, or the person or company that offers a product or service to the public. You must apply to Trademark Office to register a federal trademark. If your trademark is registered, you can generally prevent anyone else from using a mark that may confuse the public about who offers the product or service.
Trade Secrets • Information that gives one company a competitive edge over others • Reverse engineering – study finished object to determine how it is manufactured or how it works • Trade secret protection can apply to software
Copyright v/s Patent v/s Trade mark • Copyright protects original works of authorship, • while a patent protects inventions or discoveries. • A trademark protects words, phrases, symbols, or designs identifying the source of the goods or services of one party and distinguishing them from those of others.
Comparison table Copyright, Patent and Trade Secret Protection Copyright Patent Trade Secret Protects Expression of idea, not idea itself Invention—way something works Secret, competitive advantage Protected Object Made Public Yes; intention is to promote publication Design filed at Patent Office No Must Distribute Yes No No Ease of filing Very easy, do-it- yourself Very complicated; specialist lawyer suggested No filing Duration Originator’s life + 70 yrs; 95 y. For company 19 years Indefinite Legal Protection Sue if unauthorized copy sold Sue if invention copied/reinvented Sue if secret improperly obtained

More Related Content

PDF
Authentication techniques
byIGZ Software house
 
PPTX
Dbms architecture
byShubham Dwivedi
 
PPT
Security Attacks.ppt
byZaheer720515
 
PDF
Network security & cryptography full notes
bygangadhar9989166446
 
PPTX
DeadLock in Operating-Systems
byVenkata Sreeram
 
PDF
Intruders
byDr.Florence Dayana
 
PPTX
Cryptography and Information Security
byDr Naim R Kidwai
 
PPTX
User authentication
byCAS
 
Authentication techniques
byIGZ Software house
 
Dbms architecture
byShubham Dwivedi
 
Security Attacks.ppt
byZaheer720515
 
Network security & cryptography full notes
bygangadhar9989166446
 
DeadLock in Operating-Systems
byVenkata Sreeram
 
Intruders
byDr.Florence Dayana
 
Cryptography and Information Security
byDr Naim R Kidwai
 
User authentication
byCAS
 

What's hot

PPTX
Distributed database
byReachLocal Services India
 
PPTX
two tier and three tier
byKashafnaz2
 
PPTX
A presentation on software crisis
bychandan sharma
 
PPTX
Computer security concepts
byPrachi Gulihar
 
PDF
Information Security Lecture Notes
byFellowBuddy.com
 
PDF
Data security and Integrity
byZaid Shabbir
 
PPTX
Eucalyptus, Nimbus & OpenNebula
byAmar Myana
 
PDF
Software Engineering : Requirement Analysis & Specification
byAjit Nayak
 
PPTX
Security & Protection in Operating System
byMeghaj Mallick
 
PPTX
Operating system security
byRamesh Ogania
 
PPT
Protection and Security in Operating Systems
byvampugani
 
PPTX
World wide web architecture presentation
byImMe Khan
 
PPTX
Cloud Computing & Distributed Computing
byAmity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
PPTX
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
byRAMESHBABU311293
 
PPTX
Purpose of DBMS and users of DBMS
byDharmamSavani
 
PPTX
Cloud computing and Cloud Enabling Technologies
byAbdelkhalik Mosa
 
PPT
Cloud Computing Security Challenges
byYateesh Yadav
 
PDF
Deadlock in Distributed Systems
byPritom Saha Akash
 
PDF
Chapter 1 Introduction of Cryptography and Network security
byDr. Kapil Gupta
 
PPT
Virtualization (Distributed computing)
bySri Prasanna
 
Distributed database
byReachLocal Services India
 
two tier and three tier
byKashafnaz2
 
A presentation on software crisis
bychandan sharma
 
Computer security concepts
byPrachi Gulihar
 
Information Security Lecture Notes
byFellowBuddy.com
 
Data security and Integrity
byZaid Shabbir
 
Eucalyptus, Nimbus & OpenNebula
byAmar Myana
 
Software Engineering : Requirement Analysis & Specification
byAjit Nayak
 
Security & Protection in Operating System
byMeghaj Mallick
 
Operating system security
byRamesh Ogania
 
Protection and Security in Operating Systems
byvampugani
 
World wide web architecture presentation
byImMe Khan
 
Cloud Computing & Distributed Computing
byAmity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
byRAMESHBABU311293
 
Purpose of DBMS and users of DBMS
byDharmamSavani
 
Cloud computing and Cloud Enabling Technologies
byAbdelkhalik Mosa
 
Cloud Computing Security Challenges
byYateesh Yadav
 
Deadlock in Distributed Systems
byPritom Saha Akash
 
Chapter 1 Introduction of Cryptography and Network security
byDr. Kapil Gupta
 
Virtualization (Distributed computing)
bySri Prasanna
 

Similar to Administering security

PPT
Lecture1 intro to cs
byDoneisha McKenzie
 
PPTX
Understanding the security_organization
byDan Morrill
 
PPTX
Introduction to Information security ppt
bykrishkiran2408
 
PPTX
Introduction to Information security ppt
bykrishkiran2408
 
PPTX
Cyber Security # Lec 3
byKabul Education University
 
PPTX
MIS: Information Security Management
byJonathan Coleman
 
PPTX
Information security FundameFundamentals.pptx
byatuexaminations
 
PPT
InfoSecConcepts.ppt
byMobileAntitheft
 
PPT
Risk Assessment And Management
byvikasraina
 
PPTX
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
byDataExchangeAgency
 
PPT
Testing
bylorenceman
 
PPT
IT-Security-20210426203847.ppt
byIan Dave Balatbat
 
PPT
IT-Security-20210426203847.ppt
byRamaNingaiah
 
PPT
IT-Security-20210426203847.ppt
byssuser6c59cb
 
PPT
IT-Security Assessment for IT assets.ppt
bysantoshsahu190428
 
PDF
Risk management by Deepak kumar dwivedi
byEm Red
 
PPTX
Information security management (bel g. ragad)
byRois Solihin
 
PPTX
IT Security & Risk
byTanujpandey5
 
PDF
Describe two methods for communicating the material in an Informatio.pdf
byarchgeetsenterprises
 
PPT
Security information for internet and security
bySomesh Kumar
 
Lecture1 intro to cs
byDoneisha McKenzie
 
Understanding the security_organization
byDan Morrill
 
Introduction to Information security ppt
bykrishkiran2408
 
Introduction to Information security ppt
bykrishkiran2408
 
Cyber Security # Lec 3
byKabul Education University
 
MIS: Information Security Management
byJonathan Coleman
 
Information security FundameFundamentals.pptx
byatuexaminations
 
InfoSecConcepts.ppt
byMobileAntitheft
 
Risk Assessment And Management
byvikasraina
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
byDataExchangeAgency
 
Testing
bylorenceman
 
IT-Security-20210426203847.ppt
byIan Dave Balatbat
 
IT-Security-20210426203847.ppt
byRamaNingaiah
 
IT-Security-20210426203847.ppt
byssuser6c59cb
 
IT-Security Assessment for IT assets.ppt
bysantoshsahu190428
 
Risk management by Deepak kumar dwivedi
byEm Red
 
Information security management (bel g. ragad)
byRois Solihin
 
IT Security & Risk
byTanujpandey5
 
Describe two methods for communicating the material in an Informatio.pdf
byarchgeetsenterprises
 
Security information for internet and security
bySomesh Kumar
 

More from Prachi Gulihar

PPTX
The trusted computing architecture
byPrachi Gulihar
 
PPTX
Security risk management
byPrachi Gulihar
 
PPTX
Mobile platform security models
byPrachi Gulihar
 
PPTX
Malicious software and software security
byPrachi Gulihar
 
PPTX
Network defenses
byPrachi Gulihar
 
PPTX
Network protocols and vulnerabilities
byPrachi Gulihar
 
PPTX
Web application security part 02
byPrachi Gulihar
 
PPTX
Web application security part 01
byPrachi Gulihar
 
PPTX
Basic web security model
byPrachi Gulihar
 
PPTX
Least privilege, access control, operating system security
byPrachi Gulihar
 
PPTX
Dealing with legacy code
byPrachi Gulihar
 
PPTX
Exploitation techniques and fuzzing
byPrachi Gulihar
 
PPTX
Control hijacking
byPrachi Gulihar
 
PPTX
Database security and security in networks
byPrachi Gulihar
 
PPTX
Protection in general purpose operating system
byPrachi Gulihar
 
PPT
Elementary cryptography
byPrachi Gulihar
 
PPT
Information security introduction
byPrachi Gulihar
 
PPTX
Technology, policy, privacy and freedom
byPrachi Gulihar
 
PPTX
Computation systems for protecting delimited data
byPrachi Gulihar
 
PPTX
Survey of file protection techniques
byPrachi Gulihar
 
The trusted computing architecture
byPrachi Gulihar
 
Security risk management
byPrachi Gulihar
 
Mobile platform security models
byPrachi Gulihar
 
Malicious software and software security
byPrachi Gulihar
 
Network defenses
byPrachi Gulihar
 
Network protocols and vulnerabilities
byPrachi Gulihar
 
Web application security part 02
byPrachi Gulihar
 
Web application security part 01
byPrachi Gulihar
 
Basic web security model
byPrachi Gulihar
 
Least privilege, access control, operating system security
byPrachi Gulihar
 
Dealing with legacy code
byPrachi Gulihar
 
Exploitation techniques and fuzzing
byPrachi Gulihar
 
Control hijacking
byPrachi Gulihar
 
Database security and security in networks
byPrachi Gulihar
 
Protection in general purpose operating system
byPrachi Gulihar
 
Elementary cryptography
byPrachi Gulihar
 
Information security introduction
byPrachi Gulihar
 
Technology, policy, privacy and freedom
byPrachi Gulihar
 
Computation systems for protecting delimited data
byPrachi Gulihar
 
Survey of file protection techniques
byPrachi Gulihar
 

Recently uploaded

PDF
final.pdf
byomarbishtawi04
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
final.pdf
byomarbishtawi04
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Workflow and decision Automation with Flowable
bychakib ch
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 

Administering security

  • 1.
  • 2.
    Index • Risk analysis •Legal, Privacy & Ethical issues • Computer Security: Protecting Programs and Data
  • 3.
    Security in SystemDevelopment • Risk Analysis & Management needs to be a part of system development, not tacked on afterwards • Baskerville's three generations of methods 1st Generation: Checklists Example: BS 7799 Part 1 2nd Generation: Mechanistic engineering methods Example: this risk analysis method 3rd Generation: Integrated design Not yet achieved
  • 4.
    Risk Analysis andManagement Framework Assets Threats Vulnerabilities Risks Security Measures } } Analysis Management
  • 5.
    Definitions 1 The meaningsof terms in this area is not universally agreed. We will use the following • Threat: Harm that can happen to an asset • Impact: A measure of the seriousness of a threat • Attack: A threatening event • Attacker: The agent causing an attack (not necessarily human) • Vulnerability: a weakness in the system that makes an attack more likely to succeed • Risk: a quantified measure of the likelihood of a threat being realised
  • 6.
    Definitions 2 • RiskAnalysis involves the identification and assessment of the levels of risk, calculated from the – Values of assets – Threats to the assets – Their vulnerabilities and likelihood of exploitation • Risk Management involves the identification, selection and adoption of security measures justified by – The identified risks to assets – The reduction of these risks to acceptable levels
  • 7.
    Goals of RiskAnalysis • All assets have been identified • All threats have been identified – Their impact on assets has been valued • All vulnerabilities have been identified and assessed
  • 8.
    Problems of MeasuringRisk Businesses normally wish to measure in money, but • Many of the entities do not allow this – Valuation of assets • Value of data and in-house software - no market value • Value of goodwill and customer confidence – Likelihood of threats • How relevant is past data to the calculation of future probabilities? – The nature of future attacks is unpredictable – The actions of future attackers are unpredictable – Measurement of benefit from security measures • Problems with the difference of two approximate quantities – How does an extra security measure affect a ~10-5 probability of attack?
  • 9.
    Risk Levels • Precisemonetary values give a false precision • Better to use levels, e.g. – High, Medium, Low • High: major impact on the organisation • Medium: noticeable impact (“material” in auditing terms) • Low: can be absorbed without difficulty – 1 - 10 • Express money values in levels, e.g. – For a large University Department a possibility is • High • Medium • Low
  • 10.
    Risk Analysis Steps •Decide on scope of analysis – Set the system boundary • Identification of assets & business processes • Identification of threats and valuation of their impact on assets (impact valuation) • Identification and assessment of vulnerabilities to threats • Risk assessment
  • 11.
    Risk Analysis –Defining the Scope • Draw a context diagram • Decide on the boundary – It will rarely be the computer! • Make explicit assumptions about the security of neighbouring domains – Verify them!
  • 12.
    Risk Analysis -Identification of Assets • Types of asset – Hardware – Software: purchased or developed programs – Data – People: who run the system – Documentation: manuals, administrative procedures, etc – Supplies: paper forms, magnetic media, printer liquid, etc – Money – Intangibles • Goodwill • Organisation confidence • Organisation image
  • 13.
    Risk Analysis –Impact Valuation Identification and valuation of threats - for each group of assets • Identify threats, e.g. for stored data – Loss of confidentiality – Loss of integrity – Loss of completeness – Loss of availability (Denial of Service) • For many asset types the only threat is loss of availability • Assess impact of threat – Assess in levels, e.g H-M-L or 1 - 10 – This gives the valuation of the asset in the face of the threat
  • 14.
    Risk Analysis –Process Analysis • Every company or organisation has some processes that are critical to its operation • The criticality of a process may increase the impact valuation of one or more assets identified So • Identify critical processes • Review assets needed for critical processes • Revise impact valuation of these assets
  • 15.
    Risk Analysis –Vulnerabilities 1 • Identify vulnerabilities against a baseline system – For risk analysis of an existing system • Existing system with its known security measures and weaknesses – For development of a new system • Security facilities of the envisaged software, e.g. Windows NT • Standard good practice, e.g. BS 7799 recommendations of good practice
  • 16.
    Risk Analysis –Vulnerabilities 2 For each threat • Identify vulnerabilities – How to exploit a threat successfully; • Assess levels of likelihood - High, Medium, Low – Of attempt • Expensive attacks are less likely (e.g. brute-force attacks on encryption keys) – Successful exploitation of vulnerability; • Combine them Likelihood of Attempt Likelihood of Success Low Low Low Med Med Low Med High HighHigh High Med Med Low Low
  • 17.
    Responses to Risk Responsesto risk • Avoid it completely by withdrawing from an activity • Accept it and do nothing • Reduce it with security measures
  • 18.
    Security Measures Possible securitymeasures • Transfer the risk, e.g. insurance • Reduce vulnerability – Reduce likelihood of attempt • e.g. publicise security measures in order to deter attackers • e.g. competitive approach - the lion-hunter’s approach to security – Reduce likelihood of success by preventive measures • e.g. access control, encryption, firewall • Reduce impact, e.g. use fire extinguisher / firewall • Recovery measures, e.g. restoration from backup
  • 19.
    Problems of RiskAnalysis and Management • Lack of precision • Volume of work and volume of output • Integrating them into a ”normal” development process
  • 20.
    Legal, Privacy, andEthical Issues in Computer Security • Program and data protection by patents, copyrights, and trademarks • Computer Crime • Privacy • Ethical Analysis of computer security situations • Codes of professional ethics
  • 21.
    Motivation for studyinglegal issues • Know what protection the law provides for computers and data • Appreciate laws that protect the rights of others with respect to computers, programs, and data • Understand existing laws as a basis for recommending new laws to protect compuuters, programs, and data
  • 22.
    Aspects of Protectionof the security of computers • Protecting computing systems against criminals • Protecting code and data (copyright...) • Protecting programmers’ and employers’ rights • Protecting private data about individuals • Protecting users of programs
  • 23.
    23 Ethical vs. LegalIssues • Q: What’s the difference between a legal issue and an ethical issue? • How do you determine which it is? • Should you care which it is? • What percentage of your time would you guess that you will spend dealing with ethical or legal issues?
  • 24.
    24 Ethical vs. LegalIssues • Legal issues: – Sometimes have a definitive answer – Determination is made by others (not you) • Ethical issues: – Sometimes have a definitive answer – You determine your course of action • The law doesn’t make it “right” • Being “right” doesn’t make it legal
  • 25.
    Basic Legal Issues a)Protecting Programs and Data b) Information and the Law c) Ownership Rights of Employees and Employers d) Software Failures (and Customers)
  • 26.
    Protecting Programs andData  Copyrights — designed to protect expression of ideas (creative works of the mind)  Ideas themselves are free  Different people can have the same idea  The way of expressing ideas is copyrighted  Copyrights are exclusive rights to making copies of expression  Copyright protects intellectual property (IP) IP must be:  Original work  In some tangible medium of expression
  • 27.
    INTELLECTUAL PROPERTY RIGHT • Intellectualproperty rights are the legal rights that cover the privileges given to individuals who are the owners and inventors of a work, and have created something with their intellectual creativity. Individuals related to areas such as literature, music, invention, etc., can be granted such rights, which can then be used in the business practices by them. • The creator/inventor gets exclusive rights against any misuse or use of work without his/her prior information
  • 28.
    Types of IntellectualProperty Rights • Copyright • Patent • Trade marks.
  • 29.
    Copyrights • Public domain-work owned by the public, (e.g. government) • Work must be original to the author • “fair use of a copyrighted work, including such use by reproduction I copies…for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship or research.” • New owner can give away or sell object
  • 30.
    Copyrights • Each copymist be marked with the copyright symbol © or the word Copyright, the year and the author’s name • U.S. copyright lasts for 70 years beyond death of last surviving author or 95 years after publication for a company • Copyright Infringement • Copyrights for computer software (cannot copyright the algorithm) • You do not purchase a piece of software, just the license to use it. • Computer menu design can be copyrighted, but not “look and feel”
  • 31.
    Copyrights • In India,the law on copyright protection is contained in the Indian Copyright Act, 1957 – • which came into effect in January 1958. • This Act has been amended 5 times since then i.e.. In 1983, 1984,1992, 1994, 1999 & 2012. • The Copyright ( Amendment ) Act 2012 is the most substantial, bringing the digital environment into its purview.
  • 32.
    Subject Matter ofCopyright • Copyright law protects "original works of authorship.“ • The work does not have to be the first of its kind, or novel • it just has to be the independent product of the author, not copied from another source. • Copyright is held by an author upon a work's creation and "fixation“ in tangible form, so that it can be perceived directly or with the aid of a machine or other device
  • 33.
    Contd.. • Works ofauthorship include the following categories (1)literary works; (2)musical works, including any accompanying words; (3)dramatic works, including any accompanying music; (4) choreographic works; (5)pictorial, graphic, and sculptural works; (6)motion pictures and other audiovisual works; (7)sound recordings; and (8)architectural works.
  • 34.
    What Copyright Protects •Original Literary, Dramatic, Musical and Artistic Works • Cinematograph Films • Sound Recordings
  • 35.
    Literary Works • Novels,poems, short stories • Books on any subject • Computer programmes, tables, computer databases • Song lyrics
  • 36.
    Computer Software Includes • ProgrammeManuals • Punched Cards • Magnetic Tapes/Discs • Computer printouts • Computer programmes
  • 37.
    Who owns thecopyright? • Ordinarily, the creator does. However, if he or she creates the work in the course of employment or is retained under an appropriate contract to make the work, then the work is a "work made for hire," and the employer or the contracting party owns the copyright. Co-creators jointly own the copyright in the work they create together. • In some situations, when a work is created by a member of the University, Harvard policies vary the ownership that would otherwise result under copyright law.
  • 38.
    Can a copyrightbe transferred to someone else? • Like any other property, a copyright can be sold or given to someone else, who then becomes the owner of the copyright. A copyright is a bundle of exclusive rights, which can be transferred separately or all together. • A copyright owner can also retain the copyright but permit (or non-exclusively license) others to exercise some of the owner's rights. For example, a photographer might permit the use of one of her photographs on a book jacket.
  • 39.
    Permission to reproduceor disseminate someone else's copyrighted work? • Find the copyright owner and ask. There are no special forms that must be used, and permission can be oral or written, though it is good practice to obtain permission in writing. • The copyright owner is free to charge whatever fee he or she wishes, though the user is likewise free to try to negotiate a lower fee. • Most major publishers and periodicals have a "permissions desk" or a "rights editor," and a written request addressed in this way will usually find its way to the right person. • You should specify the publication you wish to take from; the precise pages, chapters, photographs or the like you want to use; how many copies you want to make; and the purpose of your use Many permissions desks accept requests by e-mail or through the publisher's website.
  • 40.
    Infringement • A copyrightis infringed when one of the exclusive rights of the copyright holder is violated. • These include the right to reproduce a – copyrighted work, prepare derivative works based upon it, distribute copies by sale or other transfer of ownership, to perform and display it publicly, and to authorize others to do so – Three types of infringement – Direct infringement – Indirect infringement – Vicarious liabilities
  • 41.
    Direct Infringement • Directinfringement occurs when a person without authorizaton reproduces, distributes, displays, or performs a copyrighted work, or prepares a derivative work based on a copyrighted work. • direct copyright infringement, it does not matter. whether a direct profit is derived from the infringing works.
  • 42.
    Contributory Infringement • Liabilityfor copyright infringement may be imposed on persons who have not themselves engaged in the infringing activity, but where it may be seen as "just to hold one individual accountable for the actions of another.“ • Contributory infringement occurs, for example, where a person "with knowledge of the infringing activity, induces, causes or materially contributes to the infringing conduct of another.“ • An Internet provider may be liable for contributory infringement, says the court, if it knows or should have known of the infringement and fails to do anything about it.
  • 43.
    Exclusive Rights • Copyrightprovides an author with a tool to protect a work from being taken, used, and exploited by others without permission. • The owner of a copyrighted work has the exclusive right – to reproduce it, – prepare derivative works based upon it, – distribute copies by sale or other transfer of ownership, – to perform and display it publicly, and – to authorize others to do so.
  • 44.
    Patents • Protect inventions,tangible objects, or ways to make them, not works of the mind. • Patent designed to protect the device or process for carrying out an idea, not the idea itself. • Patent goes to person who invented the object first • Algorithms are inventions and can be patented
  • 45.
    Patent • Patents giveinventors the exclusive right to duplicate their invention’s design. Patents cover devices, formulas, tools, and anything that has utility. To get a patent, you must apply to the Patent Office and submit the invention’s design. You must show that the design is unique. A patent examiner will determine if you are entitled to a patent. If so, a patent is granted that prohibits anyone else from making, using, offering for sale, selling, or importing the invention. A patent lasts 20 years.
  • 46.
    Trademark • A trademarkis a word, phrase, or logo that identifies a product, a service, or the person or company that offers a product or service to the public. You must apply to Trademark Office to register a federal trademark. If your trademark is registered, you can generally prevent anyone else from using a mark that may confuse the public about who offers the product or service.
  • 47.
    Trade Secrets • Informationthat gives one company a competitive edge over others • Reverse engineering – study finished object to determine how it is manufactured or how it works • Trade secret protection can apply to software
  • 48.
    Copyright v/s Patentv/s Trade mark • Copyright protects original works of authorship, • while a patent protects inventions or discoveries. • A trademark protects words, phrases, symbols, or designs identifying the source of the goods or services of one party and distinguishing them from those of others.
  • 49.
    Comparison table Copyright,Patent and Trade Secret Protection Copyright Patent Trade Secret Protects Expression of idea, not idea itself Invention—way something works Secret, competitive advantage Protected Object Made Public Yes; intention is to promote publication Design filed at Patent Office No Must Distribute Yes No No Ease of filing Very easy, do-it- yourself Very complicated; specialist lawyer suggested No filing Duration Originator’s life + 70 yrs; 95 y. For company 19 years Indefinite Legal Protection Sue if unauthorized copy sold Sue if invention copied/reinvented Sue if secret improperly obtained