1 / 33

Security and Systems

Security and Systems. Three tenets of security. Confidentiality Integrity Availability. e-Security –the problem is real. 90% of companies surveyed by the FBI have detected cyber attacks recently

sveta
Télécharger la présentation

Security and Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and Systems

  2. Three tenets of security • Confidentiality • Integrity • Availability

  3. e-Security –the problem is real • 90% of companies surveyed by the FBI have detected cyber attacks recently • Disgruntled employees, industrial espionage, and data theft are responsible for 70-80% of security breaches • Increase in external threats from hackers, ex-employees, competitors and cyber terrorists • The rise of “Script Kiddies” - Hackers who do not target specific organizations, but run scripts scanning the net for ANY vulnerable network

  4. Security Myths • Nobody would want our data. • Who knows us? We are anonymous • There is no danger to my network at all. • I am not on the Internet, I am safe. • I don’t need any security devices. I have a Firewall • I have an antivirus on my server. I am safe • All our employees are very committed & reliable!

  5. Know your IT law • Cyber crimes • Hacking , damage to computer source code, publishing lascivious information in an electronic form, breach of privacy / confidentiality, publishing digital signature, etc. • Interception by Government • intercept any information transmitted through any computer resource if the same is necessary in the interest of the sovereignty or integrity of India, • Digital Signatures legally valid and enforceable.

  6. Know your IT law • Authentication of electronic records in India shall be effected by the use of asymmetric crypto system and hash function • If someone uses your network to attack an external network and the attacked complains, you are liable to be penalized • Companies must have a detailed I T Security Policy in tune with the mandatory specific provisions of the IT Act and IT Rules.

  7. Threats to data

  8. Protectable Data assets • Business Information – contracts, SLAs, financial data, customer details, etc • Intellectual property – source codes, inventions, research papers, etc • National secrets • E-commerce

  9. Threats to data • Accessed by External hackers • Divulged by ignorant employees • Corrupted by virus attacks • Hardware failures • Inadequate access controls • Badly designed applications • Clear transmission over public internet • Last but not the least system administrators !!

  10. Types of External Attacks • Malicious code attacks • Corporate espionage • Web graffiti • Denial-of-service • Database hacks • Installing Back doors • Identity Theft

  11. Typical Network Attack attack other hosts gain user access take or alter Information locate system to attack Cover tracks Install backdoors gain privilege access engage in other unauthorized activity

  12. Methods adopted in attacks • Pinging • Sniffing • Probing • Flooding • Hacking • Cracking • Scripting • Buffer Overflow • Reverse engineering

  13. Gain user access • Identity theft • Masquerading • Eavesdropping • Spoofing • Piggy backing • Social Engineering

  14. Alter or steal information • Sniffing • Man-in-the middle attacks • Cookies • Sabotage by employees

  15. Common Reasons • Flawed design or implementation of network infrastructure • Rapidly changing technologies • Lack of management understanding • New & mutating attacks • Inherent product weaknesses

  16. Internal Threats • Unrestricted access to internal systems • Bad security practices • Ignorant users • Lack of management understanding • New & mutating attacks • Inherent product weaknesses

  17. Protection mechanisms

  18. Data Lifecycle • Creation • Storage • Movement • Destruction

  19. Key security elements • Security Policy • Identity management • Robust Perimeter Security • Storage Security • Secure Transmission of data • Good Security Practices

  20. Identity • Accurate and positive identification of network users, hosts, applications, services, and resources. • Standard technologies • Kerberos • one-time password • Technologies used • digital certificates • smart cards • directory services (e.g. LDAP, ADS)

  21. Perimeter Security • Deals with controlling data that is passed between LAN and public internet • Perimeter is controlled by • Routers and switches • Firewalls • IDS / IPS • Antivirus • URL Filters • Network Traffic Analyzers

  22. Secure transmission • The ability to provide authenticated, confidential communication between systems • Data privacy is achieved by • Layer 2 Tunneling Protocol (L2TP) • IPsec • Data Encryption • PGP

  23. Layered Security 23

  24. Security Standards / Laws • BS7799 / IS17799 • Data Protection Act • HIPAA • SOX • IT Act (Indian cyberlaws)

  25. BS 15000 ISO 9001 (QMS) Standard Process Approach [P-D-C-A] BS 7799 BS7799, ISO 9000 & BS 15000 • BS 7799-certified companies are automatically Compliant with security section of BS 15000 • BS 15000 & BS 7799 adopt the P-D-C-A Process Approach of ISO 9001: 2000 QMS Standard

  26. Policy Management • Defining a clear security objective • Articulating clear policy • Implemented by suitable procedures • Audited regularly to ensure compliance • Training users • Improvising the procedures

  27. Good Security Practices

  28. Proactive measures

  29. Testing methods • Vulnerability assessment • Penetration testing • Detection measures • Response measures

  30. Best Practices • Understanding of the business needs • A security mission statement • Identification & Risk Analysis on Data • A strong commitment from upper management to allocate necessary resources • Clearly defined implemented and documented security policies and procedures

  31. Best Practices • A suite of host and network based security auditing and improvement tools • A security awareness program that reaches everyone in the organization • A dedicated team of trained security professionals and consultants to make it all happen

  32. To conclude • No technology used to protect your organization is 100% hackerproof • Good policies drive good implementation • Best policies without necessary awareness among personnel is in vain • Security is not a one-size-fits-all solution. • Security of organization assets is everyone’s responsibility.

  33. Prudenté Solution Pvt LtdPhone: 080 - 30667171email: srimathi@prudente.co.in

More Related