Information Security: Goals and Enabling Technologies

Similar documents
Notes on Network Security - Introduction

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

The potential legal consequences of a personal data breach

So the security measures you put in place should seek to ensure that:

E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Second Edition. Copyright 2007 Pearson Education, Inc.

Secure Thinking Bigger Data. Bigger risk?

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Information Security Services

Understanding Cyber Defense A Systems Architecture Approach

Internet Safety and Security: Strategies for Building an Internet Safety Wall

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

COB 302 Management Information System (Lesson 8)

Chapter 6: Fundamental Cloud Security

COSC 472 Network Security

FACT SHEET: Ransomware and HIPAA

CHAPTER 10: COMPUTER SECURITY AND RISKS

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

Cybercrime: risks, penalties and prevention

Network Security: Introduction

Security Defense Strategy Basics

HACKED: Data Breach Scenario

Electronic Security is defined d as:

CS 203 / NetSys 240. Network Security

TELE 301 Network Management. Lecture 18: Network Security

SECURITY CONSIDERATIONS FOR LAW FIRMS

Strategy Advisory Group SA. Corporate Training. Information Security Awareness Program 1

OCR LEVEL 3 CAMBRIDGE TECHNICAL

Chap. 1: Introduction

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Alexander Nikov. 9. Information Assurance and Security, Protecting Information Resources. Learning Objectives. You re on Facebook? Watch Out!

Information Security Basic Concepts

Unit 3 Cyber security

CPSC 467: Cryptography and Computer Security

GUIDE TO MANAGING DATA BREACHES

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Information Security in Business: Issues and Solutions

EXIN Information Security Foundation based on ISO/IEC Sample Exam

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Cyber Security Issues - Brief Business Report

Vulnerability Assessment & Compliance

Introduction to Security

ISO IEC ( ) TRANSLATED INTO PLAIN ENGLISH

Information Technology Services Information Security Incident Response Plan

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES


CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Ursuline College Accelerated Program URSULINE COLLEGE

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Data Management & Protection: Common Definitions

Penetration Testing Service. By Comsec Information Security Consulting

HAZELDENE LOWER SCHOOL

STATE OF CYBER SECURITY IN ETHIOPIA

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

ISO27001 Controls and Objectives

Security Goals Services

UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY

Network Security and the Small Business

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

06100 POLICY SECURITY AND INFORMATION ASSURANCE

Information Security Insights From and For Canadian Small to Medium Sized Enterprises

ISACA Kampala Chapter Feb Bernard Wanyama Syntech Associates Limited

Managing Cyber Risk through Insurance

Getting real about cyber threats: where are you headed?

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

How-To Guide: Cyber Security. Content Provided by

Data Security. The dominant business communication tool

Presented by: Islanders Bank

Data Protection Breach Management Policy

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

POLICIES TO MITIGATE CYBER RISK

Version 1.0. Ratified By

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Environmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response

Guidelines 1 on Information Technology Security

IY2760/CS3760: Part 6. IY2760: Part 6

Data Security Incident Response Plan. [Insert Organization Name]

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Welcome to this ACT webinar

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

13. Acceptable Use Policy

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

Making Sense of Cyber Insurance: A Guide for SMEs

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

Mike Casey Director of IT

SecurityMetrics Vision whitepaper

Conditions of Use. Communications and IT Facilities

Whitepaper on AuthShield Two Factor Authentication and Access integration with Microsoft outlook using any Mail Exchange Servers

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Application Security in the Software Development Lifecycle

Transcription:

Information Security: Goals and Enabling Technologies Ali E. Abdallah Professor of Information Security Birmingham City University Email: Ali.Abdallah@bcu.ac.uk With thanks to Professors Anne Flanagan and Ian Walden

Lectures are part of the project: ConSoLiDatE Multi-disciplinary Cooperation for Cyber Security, Legal and Digital forensics Education Funded by December 2014-March 2016

ConSoLiDatE Objectives Development of educational resources conveying essential: Ø Cyber security knowledge Ø Legal principles Ø Practical digital forensic investigations Provision of supportive resources for flexible student learning Consolidation of links between theory and practice through practical scenarios. 3

Introductory remarks Why Cyber Security and Law? Collaboration between the two communities is much needed. Ø We live in a digital world; Technology constantly changing; Ø Criminal law evolves through many centuries but cyber law is very young; Ø New national/eu/us laws emerge, we need to understand their implications. We often use the same vocabulary but mean different things! Ø Concepts of proof, authorisation, etc..

Why Cyber Security and Law? Legal appreciation is important for cyber security specialists serious implications arise from: Ø Testing; ethical hacking; Ø Personal data; privacy Ø Server locations for processing personal information Cyber knowledge exceedingly important for lawyers: Ø Most new crimes involve cyber evidence (more than 90%) Ø Formulating service level agreements rely on understanding cyber risks Ø Protecting client information

Outline Motivation Ø Examples of Assets, threats and impacts What is information Security about? Ø Protection, Detection and Reaction Goals of Information Security Ø Confidentiality, Integrity, Availability Enabling concepts, mechanisms and technologies Case study Summary

Needs for Information Security Information security is as necessary as physical security; just as a business locks the doors to its offices it must also take steps to protect its information assets. Information security is a business enabler that provides a protected context in which commerce can occur while still protecting intellectual property and customer data. The value of information security cannot always be established in hard cost; if a countermeasure is purely preventative then ROI may be measured by performing a cost/benefit analysis

Security Attacks are Frequent Headline News!

Flight Simulator Site Destroyed! One of the oldest web sites, with millions of users, was destroyed! No contingency plan! http://news.bbc.co.uk/1/hi/ technology/8049780.stm

Ashley Madison With millions of users, security was breached August 2015! Weak password protection and poor security of core functionalities http://news.bbc.co.uk/1/hi/ technology/8049780.stm

Impact of Recent Ashley Madison Hack Founder and Chief executive stepped down. Reported suicides of two individuals associated with website! Reputation in ruin! http://www.bbc.co.uk/search? q=ashley%20madison

Attacks on a country s infrastructure In May 2007, Estonia was hit by Moscow Cyber War. The hacking principle is very simple- you just send a shed load of requests simultanously! http://news.bbc.co.uk/1/hi/ world/europe/6665145.stm

Cost of Estonia s attack Considered a declaration of war. Services in the whole country came to a halt for thee weeks http://news.bbc.co.uk/1/hi/ world/europe/6665145.stm

Attacks on a personal email September 2007: Hackers infiltrate Sarah Palin s personal Yahoo email. Attackers exploited the password resetting system of Yahoo email service.! http://news.bbc.co.uk/1/mobile/ world/americas/7622726.stm

Results of the Attack Personal and official email messages and photos were posted online. Mrs Palin was investigated for alleged abuse of power. She claimed to have lost vice-presidential race because of this breachl Hacker was sentenced for one year. http://news.bbc.co.uk/1/mobile/ world/americas/7622726.stm

Attacks on a country s infrastructure November 2010, Stuxnet worm hit Iran s nuclear installations. Very sophisticated and carefully targeted attack. http://news.bbc.co.uk/1/hi/ technology/8049780.stm

Secondhand computers Details of one millions bank customers found!

So far.. We have illustrated a number of cyber attacks involving a variety of: Ø targets, Ø sources, Ø intensity, Ø Sophistications, capabilities Ø effects, severity or impacts. Ø motivations Attackers only need to find a single weakness!

Security Challenges Computer security is not as simple as it might first appear to the novice Attackers only need to find a single weakness, the developer needs to find all weaknesses Users and system managers tend to not see the benefits of security until a failure occurs. Security is often an afterthought to be incorporated into a system after the design is complete. Thought of as an impediment to efficient and user-friendly operation.

Information Security Strategy

What are the security objectives? Prevention: take measures that prevent your assets from being damaged Detection: take measures so that you can detect when, how, and by whom an asset has been damaged Reaction: take measures so that you can recover your assets or to recover from a damage to your assets 21

Private Property Example Prevention: locks at doors, window bars, walls round the property Detection: burglar alarms, closed circuit TV, discovery of missing stolen items. Reaction: call the police, replace stolen items, make an insurance claim Introduction 22

E-Commerce Example Prevention: encrypt your orders, rely on the merchant to perform checks on the user, don t use the Internet (?) Detection: an unauthorized transaction appears on your credit card statement Reaction: complain, ask for a new card number, consult your lawyer, etc. Introduction 23

Examples of Cyber Security Threats Malicious software: Viruses; Worms; Trojans; Identity theft Ø Password crackers Ø Phishing Ø Spoofing / masquerading Ø Social engineering Unauthorized Access Ø Eavesdropping and tapping Ø targeted data mining Ø Back door/trap door Denial of service (DoS, DDoS) Ø Logic bombs Ø Crypto-locker

Information Security Goals

Goals of Security: CIA Defined Confidentiality - the protection of information from unauthorized or accidental disclosure Integrity assures information is as entered and intended; that the information has not been incorrectly modified, corrupted or destroyed. Availability- assures that assets are available when needed to support the organizational enterprise on a timely and reliable basis.

Computer Security? Confidentiality: prevent unauthorised disclosure of information Integrity: prevent unauthorised modification of information Availability: prevent unauthorised withholding of information or resources Other aspects: accountability, authenticity Introduction 28

Confidentiality Historically, security and secrecy were closely related. Sometimes, security and confidentiality are used as synonyms Prevent unauthorised disclosure of information (prevent unauthorised reading) Privacy: protection of personal data Secrecy: protection of data belonging to an organisation Introduction 29

Integrity ITSEC: prevent unauthorised modification of information (prevent unauthorised writing) Clark & Wilson: No user of the system, even if authorized, may be permitted to modify data items in such a way that assets or accounting records of the company are lost or corrupted. Orange Book: Data Integrity - The state that exists when computerized data is the same as that in the source document and has not been exposed to accidental or malicious alteration or destruction. (Integrity synonymous for external consistency.) Introduction 30

Integrity ctd. Integrity in communications: detection (and correction) of intentional and accidental modifications of transmitted data In the most general sense: make sure that everything is as it is supposed to be; the data in a computer system should correctly reflect some reality outside the computer system. Integrity is a prerequisite for many other security services. Operating systems security has a lot to do with integrity. Introduction 31

Availability CTCPEC: the property that a product s services are accessible when needed and without undue delay IS 7498-2: the property of being accessible and usable upon demand by an authorised entity Denial of Service (DoS): The prevention of authorised access of resources or the delaying of time-critical operations Introduction 32

Information Assurance Wider scope includes: people, resources, technology and processes. People Focus on understanding and applying good practices to achieve a holistic view of protection. Processes Practices Systems & Resources

Questions???

Enabling Technical Concepts and Mechanisms

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information