Network Security. Instructor: Adam Hahn

Similar documents
Introduction to Security

Introduction to Computer Security

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

Computer Security Threats

COSC 472 Network Security

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

CPSC 467: Cryptography and Computer Security

Information Security Basic Concepts

Get Confidence in Mission Security with IV&V Information Assurance

IT Security Management Risk Analysis and Controls

ISO Controls and Objectives

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

FINAL May Guideline on Security Systems for Safeguarding Customer Information

INFORMATION TECHNOLOGY SECURITY STANDARDS

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. March 19, 2015

ISO27001 Controls and Objectives

CSE 5392 Sensor Network Security

Cybersecurity for the C-Level

Chap. 1: Introduction

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Cybersecurity Definitions and Academic Landscape

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

Design Principles for Protection Mechanisms. Security Principles. Economy of Mechanism. Least Privilege. Complete Mediation. Economy of Mechanism (2)

Security Goals Services

CSC 474 Information Systems Security

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Security Testing. How security testing is different Types of security attacks Threat modelling

Network Security Policy

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

IBX Business Network Platform Information Security Controls Document Classification [Public]

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Security Defense Strategy Basics

Practical Overview on responsibilities of Data Protection Officers. Security measures

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

CSE331: Introduction to Networks and Security. Lecture 1 Fall 2006

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Threat modeling. Tuomas Aura T Information security technology. Aalto University, autumn 2011

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

Information Security Policy

Weighted Total Mark. Weighted Exam Mark

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS

Technical Proposition. Security

HIPAA Security Alert

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech

Data Management Policies. Sage ERP Online

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

INTRODUCTION TO NETWORK SECURITY. Nischit Vaidya, CISSP Instructor

UNIVERSITY OF BOLTON CREATIVE TECHNOLOGIES COMPUTING AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2014/2015 NETWORK SECURITY MODULE NO: CPU6004

BKDconnect Security Overview

SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data

Policy for the Acceptable Use of Information Technology Resources

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Information Security for Managers

FACT SHEET: Ransomware and HIPAA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Security Controls What Works. Southside Virginia Community College: Security Awareness

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS STANDARD 012 IMAGE SECURITY STANDARD

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Data Security Incident Response Plan. [Insert Organization Name]

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Content Teaching Academy at James Madison University

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Office of Inspector General

Computer Concepts And Applications CIS-107-TE. TECEP Test Description

Wireless Network Security

Microsoft STRIDE (six) threat categories

IY2760/CS3760: Part 6. IY2760: Part 6

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

DATABASE SECURITY, INTEGRITY AND RECOVERY

Chapter 6: Fundamental Cloud Security

APHIS INTERNET USE AND SECURITY POLICY

INFORMATION SECURITY PROGRAM

Electronic business conditions of use

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

ECE509 Cyber Security : Concept, Theory, and Practice

Transcription:

Network Security Instructor: Adam Hahn

The syllabus

Reading for Wednesday Ken Thompson, Reflections on Trusting Trust, Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763. http://cm.bell-labs.com/who/ken/trust.html Bruce Schneier, The Security Mindset https://www.schneier.com/blog/archives/2008/03 /the_security_mi_1.html

Why Network Security???

Cybercrime Source: New York Magazine, http://nymag.com/daily/intelligencer/2013/04/aptwitter-hack-sends-stock-market-spinning.html Source: CNN Money, http://nymag.com/daily/intelligencer/2013/04/aptwitter-hack-sends-stock-market-spinning.html

Hactivism Source: Forbes, http://www.forbes.com/sites/quora/2014/07/24/how -wsjs-facebook-page-got-hacked-and-what-othersshould-do-to-prevent-this/ Source: Mother Jones, http://www.motherjones.com/politics/2014/07/anonymous -cyberattack-israel-gaza

Nation-State Threats Source: The Washington Post, http://www.washingtonpost.com/world/nationalsecurity/spyware-tools-allow-buyers-to-slip-malicious-code-into-youtubevideos-microsoft-pages/2014/08/15/31c5696c-249c-11e4-8593- da634b334390_story.html Source: CNET, http://www.cnet.com/news/saudi-oil-firm-says-30000- computers-hit-by-virus/ Source: The New York Times, http://www.nytimes.com/2013/05/20/world/asia/chinese-hackers-resumeattacks-on-us-targets.html?pagewanted=all&_r=0

What is computer/network security?

Security Definition & Properties Computer Security : The protection afforded to an automated information system in order to attain the applicabile objectives of preserving the integrity, availability, and confidentiality of information system resources. -NIST Computer Security Handbook Key Principles: CIA Triad [From FIPS-199] Confidentiality - Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information Integrity - Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity Availability - Ensuring timely and reliable access to and use of information.

Security Properties cont. Accountability The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. Privacy - Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be displosed Authenticity - The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.

Security Properties - Examples Student Grades Confidentiality only the student/instructor can see their grade Integrity grades accurate represent hw/test scores Availability grades should be available for report cards Authenticity only the instructor can assign grades Privacy student has discretion over who sees grades Accountability evidence that instructor added grades to the system

In class example: Facebook Integrity? Confidentiality? Availability? Accountability? Privacy? Authenticity?

Security Concepts and Relationships

Threats/Attacks Threat Consequence Unauthorized Disclosure A circumstance or event whereby an entity gains access to data for which the entity is not authorized. Deception A circumstance or event that may result in an authorized entity receiving false data and believing it to be true. Disruption A circumstance or event that interrupts or prevents the correct operation of system services and functions. Usurpation A circumstance or event that results in control of system services or functions by an unauthorized entity. Threat Action (attack) Exposure: Sensitive data are directly released to an unauthorized entity. Interception: An unauthorized entity directly accesses sensitive data traveling between authorized sources and destinations. Inference: A threat action whereby an unauthorized entity indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or byproducts of communications. Intrusion: An unauthorized entity gains access to sensitive data by circumventing a system's security protections. Masquerade: An unauthorized entity gains access to a system or performs a malicious act by posing as an authorized entity. Falsification: False data deceive an authorized entity. Repudiation: An entity deceives another by falsely denying responsibility for an act. Incapacitation: Prevents or interrupts system operation by disabling a system component. Corruption: Undesirably alters system operation by adversely modifying system functions or data. Obstruction: A threat action that interrupts delivery of system services by hindering system operation. Misappropriation: An entity assumes unauthorized logical or physical control of a system resource. Misuse: Causes a system component to perform a function or service that is detrimental to system security.

Assets - Threats

Attack Trees Intro Model to help understand potential vulnerabilities in a system Root node = objective Leaf node = specific threat/attack Can use AND/OR gates

Attack Trees: In Class Root Node: Access contents of a safe

Security Design Principles Saltzer and Schroeder Economy of mechanisms mechanisms should be as simple, small as possible Fail-safe defaults system fails into the correct state (deny or allow) Complete mediation every access to a system should be checked/validated Open design security designs should be open, no security by obscurity Separation of privilege require multiple privileges to access restricted resource/function Least privilege processes/users should always use least privileges Least common mechanism minimize functions shared by different users Psychological acceptability mechanisms should not interfere with work for users

Security Strategy 1. Security Policies What is the system supposed to do? 2. Security Mechanisms How is the policy enforced? 3. Assurance/Evaluation Does the mechanism enforce the policy?

Security Policy Business decision Risk/threats Value of information/systems Describes intended system behavior Who needs/doesn t need access to information/systems Identify trade-offs Security vs usability Security vs cost Security vs performance

Security Implementations Four possible actions Prevention Examples: Firewalls, encryption Detection Examples: Intrusion detection systems, antivirus Response Examples: Reconfigure/modify system Recovery Examples: Contingency planning/disaster recovery

Security Assurance/Evaluation Assess efficacy of security controls More formal Common Criteria international standards for computer security certification Less formal Security test & evaluation Vulnerability assessments Penetration tests attempt to break into system

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information