1 / 39

Security

Security. Outline What is Security What is Electronic security Objectives of security Importance of security Types of security Security policy Security Tips. What is Security? That which secures; protection; a state of safety or safe keeping. Electronic Security

alida
Télécharger la présentation

Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security

  2. Outline • What is Security • What is Electronic security • Objectives of security • Importance of security • Types of security • Security policy • Security Tips

  3. What is Security? • That which secures; • protection; • a state of safety or safe keeping.

  4. Electronic Security • The process of preventing and detecting unauthorized use of a computer based information system • Prevention measures to stop unauthorized users from accessing any part of the computer based information system

  5. Importance of Security • Privacy • Crime • Networks and their associated technologies have opened the door to an increasing number of security threats. • Important data can be lost, privacy can be violated and the computer can even be used by an outside attacker to attack other computers on the Internet.

  6. WHO MIGHT ATTACK? • Hackers In security circles, most of these peopleare known as "script kiddies." • Business rivals Competitors may try to obtain information illicitly through your virtual back doors.

  7. WHO MIGHT ATTACK? • Foreign intelligence Another area of concern is foreign espionage. France, Israel, and Russia are known to have active industrial espionage efforts underway against the United States. • Insiders they may be hackers for their own amusement, for example, or they may be working for rivals or foreign intelligence agencies.

  8. Internet BusinessValue Extranets eCommerce Internet Presence Corporate Intranet Internet Access Security Considerations

  9. Objectives of Security • Confidentiality • Integrity • Availability

  10. Confidentiality • The process used to protect secret information from unauthorized disclosure. • Secret data needs to be protected when it is stored or when it is being transmitted over the network.

  11. Integrity • Refers to the unauthorized changing of creation of values of data within the system. • Data Integrity detects whether the data has been modified during transmission. Such modification may be the result of an attack or a transmission error ( corruption).

  12. Integrity (cont.) • There are legal concerns regarding • Anonymity of source • Ease of reproduction • Detection of alteration • Unauthorised disclosure • attribution

  13. Availability • Caused by equipment malfunction, equipment destruction (natural disaster) or equipment loss (theft). • Example: Computer Virus ( causes the system to be unavailable for an extended period while the virus is removed and corrupted data is reprocessed).

  14. Types of Security • Technical Countermeasures • Non-Technical Countermeasures • Physical • Procedural

  15. A Balanced Approach to Security Threats Resources Security Conscious People Policies & Procedure Network Controls Security Software

  16. Technical Countermeasures • Passwords • Encryption • Cryptography • Digital Signatures • Firewalls • Key locks • Smart cards • biometrics

  17. Passwords • computer system is password protected • Make passwords as meaningless as possible • No real words (forward or backwards) • Mixture of letters and numbers • Change passwords regularly • Never divulge passwords to anyone

  18. Encryption • Encryption technology ensures that messages cannot be intercepted or read by anyone other than the authorized recipient. • Encryption is usually deployed to protect data that is transported over a public network such as the Internet and uses advance mathematical algorithms to ‘scramble’ messages and their attachments.

  19. Where is Encryption used: • ATM’s • EFTPOS • Internet transaction • Protects medical records, corporate trades secrets, air traffic control centres etc.

  20. Cryptography • It is the practical art of converting messages or data into a different form, such that no-one can read them without having access to the 'key'. • The message may be converted using a 'code' (in which case each character or group of characters is substituted by an alternative one), or a 'cypher' or 'cipher' (in which case the message as a whole is converted, rather than individual characters). • Cryptanalysis is the science of 'breaking' or 'cracking' encryption schemes, i.e. discovering the decryption key.

  21. Symmetric Cryptography The same key is used for encrypting and decrypting messages

  22. Public Key Cryptography Multiple people encrypt messages using the recipient’s well-known public key. The recipient decrypts it with her private key.

  23. Public Key Cryptography (cont.) • A message encrypted with a Public Key can only be decrypted with the private Key • A message encrypted with the private key can only be decrypted with the public key

  24. Public Key Cryptography (cont.) • Key Distribution • Certification Authority (CA) acts as a trusted third party which distributes digital certificates. • The digital certificates which are publicly distributed contain a user’s public key as well as other information such as the user’s personal details and the expiry date of the key. • Registration Authoriy verifies a user’s identity at the time the user applies for a digital certificate. Often the CA and an RA are the same entities.

  25. Public Key Distribution

  26. Digital Signatures • Block of text that is used to verify that a message really comes from the claimed sender. • Can also be used to verify the time document was sent. • can only be generated by the sender and is very difficult for anyone else to forge.

  27. Digital Signature Process

  28. Digital Envelopes • Sender generates a random message key (K). Sender encrypts the message (M) with K, creating the cipher text message (CM). • Sender encrypts K with recipient’s public key (RPubK), generating cipher text CK. • Sender computes a digital signature (S) using her private signature (SPrivK) • Sender sends CK, CM and S to recipient. • Recipient uses his private key (RPrivK) to decrypt CK and obtain K. • Recipient uses K to decrypt CM and get M. • Recipient uses sender’s public key (SPubK) to validate S.

  29. Firewalls • A firewall is a device that is placed between your system and the internet. It can monitor and filter any incoming and outgoing traffic. • Offers a single point at which security can be monitored and alarms generated. • Encryption can be used as a safeguard. • There should be a security policy in place. • An important point need to keep in mind that firewalls are not always impenetrable.

  30. Physical Countermeasures • Is defined as the protection of its resources against threats of damage, theft and natural disasters. • Involves a layered approach

  31. Hacker Attacks Physical Intrusion Building Security End User Security Computer Security Unauthenticated Access Environmental Disruption

  32. Building Security • Guard • Alarm system • Surveillance system • Perimeter security ( adequate lighting, security fences) • Warning signs • Centralized control (response to an attack as quickly as possible)

  33. Procedural • Conditions of use (layout expectations) • Key locks • Supervision • Usage monitoring • Safe storage of data • Backup (make copies of data and softwares) • User authorisation • Intruder detection • Monitoring and control • Business Continuity Plans • Disaster Recovery Plans

  34. Disaster Recovery Plan • Approved set of arrangements and procedures that enable an organisation to respond to a disaster and resume its critical business functions within a defined time frame • Business Continuity Plan • Process of developing advanced arrangements and procedures that enable an organisation to respond to an event in such a manner that critical business functions continue without interruption or essential change

  35. Natural Disasters • Causes extensive damage such as: • Loss of power, communication lines and processing; buildings set on fire; building collapsing. • To overcomes the damages organizations should: • Secure external communication links; Install lighting protection; create firebreaks around buildings; insure appropriate building construction.

  36. IT Security Policy • Examplehttp://www.uts.edu.au/div/publications/policies/select/itsecurity.html

  37. How to secure an environment Assess the Situation Fix High Risk Vulnerabilities Secure the Perimeter Secure the Interior Deploy Monitors Test\Attack High Risks

  38. Security Tips • Use protection software "anti-virus software" and keep it up to date. • Don't open email from unknown sources. • Use hard-to-guess passwords. • Protect your computer from Internet intruders -- use "firewalls". • Don't share access to your computers with strangers. Learn about file sharing risks. • Back up your computer data.

More Related