1 / 16

IT security notes

IT security notes. An overview of the subject Oct 2006 kristoffer miklas. What ?. To protect against misuse of assets. To ensure availability/usability of assets. …and… it’s a contradicting balance What will we discuss? Only half of the story: Protection against….

burian
Télécharger la présentation

IT security notes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT security notes An overview of the subject Oct 2006 kristoffer miklas

  2. What ? • To protect against misuse of assets. • To ensure availability/usability of assets. …and… it’s a contradicting balance • What will we discuss? • Only half of the story: • Protection against…

  3. Is security a technical question? • Absolutely not.  It’s a business (money) question. • Asset owner must asses the value of assets. • Assess risk probability and effect on business in case of event. • examples: • Product details, Customer data base, Prices and deals offered to customers. • In short: what is protected, and at what level • examples... • American mil contractor. • Banking money loss • Money safe • Are you security guy, or just the tech part of the jigsaw?

  4. Security is a moving target. • Examples… • bla, bla…. • Conclusion: there is no absolute security. • There is just a cost level.

  5. Who are the bad guys? • Script kiddies or wannabees. • Amatures or embezzlers. • Real crackers • Artists • Grafitti kids • Pride and fame • Enrichment • Crime • Corporations • Governements (French story) • External attackers • Insiders (disgrunted employees, selling info, example from Swedish gov.)

  6. Protection methods. • Perimeter security • Additional point security • Intrusion detection (alarm) • Audit (checking) • Emergence plan • Example: • Telia vs Felia (1996) • CIA

  7. Attacking methods • Mapping / staking out / info collection • Public info, dumpster diving, on site • Social engineering • Physical access • Proxy (insider) • Remote Access • Catch asset in transport • cool but cost ineffective • And…. good old fashion break in (Finnish story)

  8. example • Object: steal credit card data • Physical (restautant) • Remote access (database) • Intercept network transport (ridicilous)

  9. Delimiting discussion area • IT Security • Systems • Data • Data security • During storage • During transport

  10. Data protection • User Authetication • Data Integrity • Data Secrecy • Transaction non-repudiation

  11. Authentication • What you know • What you have • What you are

  12. Encryption as a tool • Symetric encryption • Secrecy • Key distribution problem • Asymetric encryption (public encryption) • Integrity, secrecy, key distribution • Lack real time efficeny

  13. Encyption details • Check the book….

  14. Firewalls… • Border, DMZ • Packet filter • Stateful inspection • Application proxies • Bastion Hosts • Attacking the FW OS • What about contents (airport analogy)

  15. Content anaysis • At FW • At MX server

  16. Security • It’s a business problem • Tech is just one piece of the jigsaw • Jurnos are friendly idiots • ”Experts” are at best harmless • Owners are often avoiding responsibility • Bean counters are the enemies best friends

More Related