The document provides an introduction to computer security including:
- The basic components of security such as confidentiality, integrity, and availability.
- Common security threats like snooping, modification, and denial of service attacks.
- Issues with security including operational challenges and human factors.
- An overview of security policies, access control models, and security models like Bell-LaPadula and Biba.
Threat modelling identifies potential security threats and vulnerabilities to develop mitigations. It is an essential process for managing cybersecurity risks. Threat response helps detect attacks in real time by monitoring activity and generating alerts. It allows security operators to quickly neutralize threats before they cause disruption. As technology plays a larger role, the need for threat modelling and response consultants has increased to combat cyber threats and protect organizations' data and systems.
This document provides an overview of network security threats and concepts. It discusses the rationale for network security, including increased internet connectivity, cybercrime, legislation/liabilities, and the proliferation and sophistication of threats. It describes the goals of information security programs to ensure confidentiality, integrity and availability. It also discusses security models, risks, vulnerabilities, attacks, and risk management strategies.
Information security involves protecting information from unauthorized access, use, disclosure, disruption or destruction. It aims to ensure the confidentiality, integrity and availability of data regardless of its form. Key goals include preventing breaches of confidentiality which could harm businesses or individuals, and ensuring data integrity so it cannot be modified without authorization. Risk management is the ongoing process of identifying vulnerabilities, deciding on countermeasures to reduce risk to an acceptable level based on the value of the information assets.
Cybersecurity: How to Protect Your Firm from a Cyber AttackShawn Tuma
Cybersecurity attorney Shawn Tuma discusses the importance of cybersecurity for law firms. He notes that cybersecurity and privacy issues impact all law firms as clients demand adequate security and firms store sensitive data for multiple clients. While most breaches are from simple issues like weak passwords, law firms remain an attractive target. Tuma outlines 15 common cybersecurity best practices that firms should implement, such as risk assessments, security policies, workforce training, access controls, backups, and incident response plans. He emphasizes adopting a comprehensive cyber risk management program to protect firms from threats.
This document provides an overview of a computer and network security course. It discusses what topics will and won't be covered, including security threats, protocols, cryptography, and practical security issues but not advanced cryptography or computer networks. It also defines key security concepts like the CIA triad of confidentiality, integrity and availability. Additional topics covered include security attacks, services, and mechanisms like encryption, authentication, access control and intrusion detection.
This document provides an overview of a computer and network security course. It discusses what topics will and won't be covered, including security threats, protocols, cryptography, and practical security issues but not advanced cryptography or computer networks. It also defines key security concepts like the CIA triad of confidentiality, integrity and availability. Additional topics covered include security attacks, services, and mechanisms like encryption, authentication, access control and intrusion detection.
The document discusses cybersecurity incident response and preparation. It notes that two-thirds of surveyed executives ranked cybersecurity as a top risk, but only 19% expressed high confidence in their ability to respond to an incident. It then discusses defining incidents, typical attack timelines, preparing a response team and plan, minimizing impact during an incident through best practices, and conducting recovery preparations through training exercises.
Threat modelling identifies potential security threats and vulnerabilities to develop mitigations. It is an essential process for managing cybersecurity risks. Threat response helps detect attacks in real time by monitoring activity and generating alerts. It allows security operators to quickly neutralize threats before they cause disruption. As technology plays a larger role, the need for threat modelling and response consultants has increased to combat cyber threats and protect organizations' data and systems.
This document provides an overview of network security threats and concepts. It discusses the rationale for network security, including increased internet connectivity, cybercrime, legislation/liabilities, and the proliferation and sophistication of threats. It describes the goals of information security programs to ensure confidentiality, integrity and availability. It also discusses security models, risks, vulnerabilities, attacks, and risk management strategies.
Information security involves protecting information from unauthorized access, use, disclosure, disruption or destruction. It aims to ensure the confidentiality, integrity and availability of data regardless of its form. Key goals include preventing breaches of confidentiality which could harm businesses or individuals, and ensuring data integrity so it cannot be modified without authorization. Risk management is the ongoing process of identifying vulnerabilities, deciding on countermeasures to reduce risk to an acceptable level based on the value of the information assets.
Cybersecurity: How to Protect Your Firm from a Cyber AttackShawn Tuma
Cybersecurity attorney Shawn Tuma discusses the importance of cybersecurity for law firms. He notes that cybersecurity and privacy issues impact all law firms as clients demand adequate security and firms store sensitive data for multiple clients. While most breaches are from simple issues like weak passwords, law firms remain an attractive target. Tuma outlines 15 common cybersecurity best practices that firms should implement, such as risk assessments, security policies, workforce training, access controls, backups, and incident response plans. He emphasizes adopting a comprehensive cyber risk management program to protect firms from threats.
This document provides an overview of a computer and network security course. It discusses what topics will and won't be covered, including security threats, protocols, cryptography, and practical security issues but not advanced cryptography or computer networks. It also defines key security concepts like the CIA triad of confidentiality, integrity and availability. Additional topics covered include security attacks, services, and mechanisms like encryption, authentication, access control and intrusion detection.
This document provides an overview of a computer and network security course. It discusses what topics will and won't be covered, including security threats, protocols, cryptography, and practical security issues but not advanced cryptography or computer networks. It also defines key security concepts like the CIA triad of confidentiality, integrity and availability. Additional topics covered include security attacks, services, and mechanisms like encryption, authentication, access control and intrusion detection.
The document discusses cybersecurity incident response and preparation. It notes that two-thirds of surveyed executives ranked cybersecurity as a top risk, but only 19% expressed high confidence in their ability to respond to an incident. It then discusses defining incidents, typical attack timelines, preparing a response team and plan, minimizing impact during an incident through best practices, and conducting recovery preparations through training exercises.
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
The document discusses approaches to information security, risk management, and cyber resilience. It recommends taking a three-pronged approach to information security that includes awareness, technical controls, and periodic reviews. It also suggests adopting a framework for cyber risk management that is appropriate for the organization's needs and risk appetite. Finally, it outlines six key points to achieving cyber resilience: organizational readiness, situational awareness, detection, cyber defense, mitigation and containment, and recovery.
- Basic concepts, a changing threat landscape, security intelligence methodology, the intelligence organization, metrics and effectiveness, automation of intelligence processes are discussed.
- Security intelligence involves gathering, evaluating, correlating and interpreting information to reduce uncertainty and enable decision making. The intelligence cycle includes direction, collection, processing, and dissemination.
- Threats have evolved from defacement to complex targeted attacks exploiting vulnerabilities. Intelligence collection targets both internal and external sources to understand evolving threats.
- Automation is being used to help with collection, analysis, and hypothesis generation, but human analysis and judgment remain important aspects of the intelligence process.
Combating Cyber Crimes 2 is the 6th Nugget in the series Cyber Security Awareness Month 2017. It is important to 'STOP, THINK before CONNECTing to the Internet Resources.
This document provides an overview and introduction to cybersecurity concepts. It discusses key topics such as risk, common attack types and vectors, security architecture principles including defense in depth and cryptography. Specifically, it defines cybersecurity and its objectives of confidentiality, integrity and availability. It also explains common cybersecurity concepts like vulnerabilities, threats and risk analysis and assessments. Various attack types are outlined including malware, advanced persistent threats, man-in-the-middle attacks and SQL injection.
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceIBM Security
Although the majority of organizations subscribe to threat intelligence feeds to enhance their security decision making, it's difficult to take full advantage of true insights due to the overwhelming amounts of information available. Even with an integrated security operations portfolio to identify and respond to threats, many companies don't take full advantage of the benefits of external context that threat intelligence brings to identify true indicators of compromise. By taking advantage of both machine- and human-generated indicators within a collaborative threat intelligence platform, security analysts can streamline investigations and speed the time to action.
Join this webinar to hear from the IBM Security Chief Technology Officer for Threat Intelligence to learn:
How the IBM Security Operations and Response architecture can help you identify and response to threats faster
Why threat intelligence is a fundamental component of security investigations
How to seamlessly integrate threat intelligence into existing security solutions for immediate action
Joel Oseiga Aleburu presented on architecting for security resilience. The presentation covered basic definitions like security, vulnerability and resilience. It discussed basic principles for secure design like earning trust rather than assuming it. The presentation also covered application threat modeling, common architectural flaws, and questions. It emphasized that processes, not just products, prevent cyber attacks and outlined techniques like STRIDE for threat modeling.
Small businesses are appealing targets for cyberattacks due to having more digital assets than individual consumers but less security than larger enterprises. Common cyberattacks against small businesses include phishing, ransomware, and malware which aim to steal sensitive data. While large breaches make headlines, over 60% of data breach victims are small businesses. It is important for small businesses to implement cybersecurity best practices such as keeping software updated, educating employees, having formal security policies, and purchasing cybersecurity insurance to protect against the costs of a breach.
With more than 50,000 new malware created every day organisations can no longer afford to risk the financial and reputational impacts of a security or data breach, which can be too much for a business to recover from. Because of this, IT managers face increasing scrutiny and pressure from CEOs, managing directors and boards to prove that they are keeping the organisation secure.
The changing threat landscape means organisations need to be vigilant and smarter about security. While businesses still face threats from infected devices and malware, attackers have also moved beyond that. For example, there is an increasing number of targeted email attacks with cyber criminals spending time to monitor communications so they can imitate emails that are so sophisticated that even relatively savvy users will open them.
This webinar will explore the building blocks required to ensure you have the roadmap required to best protection against cyber attacks. We will provide you with a high level view of the following topics:
· Audit and discovery – What are your weaknesses and are you compliant?
· Education – Do your employees know when not to open that attachment?
· Policy – Do you have the right policies for your industry?
· Technology – Where to start and what has changed?
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
The EU Global Data Protection Regulation (GDPR) and New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) represent a landmark change in the global data protection space. While they originate in different countries and apply to different organizations, their primary message is the same:
Protect your data, or pay a steep price. More specifically, protect the sensitive data you collect from customers.
With deadlines looming, is your organization ready?
The time to act is now. Read more to learn:
--Key mandates and minimum requirements for compliance
--Why a comprehensive data-centric security strategy is invaluable to all data protection and data privacy efforts
--How you can gauge your organization’s incident response capabilities
--How to extend your focus beyond the organization’s figurative four walls to ensure requirements are met throughout your supply chain
The first New York requirements deadline has arrived. With the next deadline of mandates only 6 months away, you don't want to fall behind and leave your organization at risk for potential penalties and fines.
This document discusses incident response and handling. It outlines the key steps in the incident response process: preparation, identification, containment, eradication, recovery, and lessons learned. Preparation involves forming a response team, developing procedures, and gathering resources. Identification involves determining the scope of an incident and preserving evidence. Containment focuses on limiting the damage of an incident through actions like quarantining systems, analyzing initial data, and making backups. Eradication aims to completely remove malicious software from affected systems.
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...patmisasi
The document discusses the need for organizations to have an incident response (IR) framework to adequately prepare for security incidents. It introduces the VERIS framework, which can help lay the foundation for an IR program by describing attacks. VERIS provides a common vocabulary for recording and sharing information about security incidents and helps organizations understand the variety of actions, actors, assets, and attributes involved in incidents to improve detection and response capabilities. The document advocates that understanding details about incidents through frameworks like VERIS is important because organizations cannot detect or respond to what they do not understand or know about attacks and attackers.
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma delivered this presentation at Misti's InfoSec World during the Privacy & Risk Summit on March 22, 2018, in Orlando, Florida.
Gainful Information Security is an information security and systems development firm established in Harare, Zimbabwe in 2007 to partner with African private and public sectors for a secure, efficient and cost-effective information lifecycle.
The document discusses key concepts in computer security including confidentiality, integrity, availability, threats, vulnerabilities, attacks, risks, and countermeasures. It defines common computer security terminology such as adversaries, attacks, risks, security policies, and system resources. The document also covers topics like passive and active attacks, security functional requirements, the scope of computer security, and security services related to authentication, access control, data confidentiality, data integrity, non-repudiation, and availability.
this ppt deals with the Information security, threats and control, digital signature,hierarchy of Information baseline. Risk assessment process and security process to handle threats
This document provides guidelines for establishing effective computer security incident response capabilities. It assists organizations in creating incident response teams and processes for efficiently handling incidents. The guidelines can be applied independently of specific hardware, software, protocols or applications. The document recommends establishing planning, preparation, detection and analysis, containment, eradication and recovery as key phases in the incident response process.
Session 1 (one) of the course Information Security and business continuity. Concept of Information security , Term , Trends and Impact are discussed .
Presented at Bangladesh Institute of Management on 21 November 2015.
The document summarizes key concepts from the book "Computer Security: Principles and Practice" by Stallings, Brown, and Bauer. It defines computer security as measures that ensure confidentiality, integrity, and availability of information systems. It outlines threats to computer security like unauthorized disclosure, deception, disruption, and usurpation. It also defines security terminology like attacks, vulnerabilities, risks, and countermeasures. The document presents models for understanding computer security and the relationships between threats, vulnerabilities, attacks, and assets.
Lecture 01- What is Information Security.pptshahadd2021
This document provides an introduction to information security concepts. It defines information security as protecting information and systems from unauthorized access, use, disclosure, disruption or destruction in order to preserve confidentiality, integrity and availability. The goals of information security are prevention, detection and recovery. Key concepts discussed include threats, vulnerabilities, risks, assets, and the CIA triad of confidentiality, integrity and availability. Common types of security attacks like interception, interruption, modification and fabrication are also outlined.
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
The document discusses approaches to information security, risk management, and cyber resilience. It recommends taking a three-pronged approach to information security that includes awareness, technical controls, and periodic reviews. It also suggests adopting a framework for cyber risk management that is appropriate for the organization's needs and risk appetite. Finally, it outlines six key points to achieving cyber resilience: organizational readiness, situational awareness, detection, cyber defense, mitigation and containment, and recovery.
- Basic concepts, a changing threat landscape, security intelligence methodology, the intelligence organization, metrics and effectiveness, automation of intelligence processes are discussed.
- Security intelligence involves gathering, evaluating, correlating and interpreting information to reduce uncertainty and enable decision making. The intelligence cycle includes direction, collection, processing, and dissemination.
- Threats have evolved from defacement to complex targeted attacks exploiting vulnerabilities. Intelligence collection targets both internal and external sources to understand evolving threats.
- Automation is being used to help with collection, analysis, and hypothesis generation, but human analysis and judgment remain important aspects of the intelligence process.
Combating Cyber Crimes 2 is the 6th Nugget in the series Cyber Security Awareness Month 2017. It is important to 'STOP, THINK before CONNECTing to the Internet Resources.
This document provides an overview and introduction to cybersecurity concepts. It discusses key topics such as risk, common attack types and vectors, security architecture principles including defense in depth and cryptography. Specifically, it defines cybersecurity and its objectives of confidentiality, integrity and availability. It also explains common cybersecurity concepts like vulnerabilities, threats and risk analysis and assessments. Various attack types are outlined including malware, advanced persistent threats, man-in-the-middle attacks and SQL injection.
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceIBM Security
Although the majority of organizations subscribe to threat intelligence feeds to enhance their security decision making, it's difficult to take full advantage of true insights due to the overwhelming amounts of information available. Even with an integrated security operations portfolio to identify and respond to threats, many companies don't take full advantage of the benefits of external context that threat intelligence brings to identify true indicators of compromise. By taking advantage of both machine- and human-generated indicators within a collaborative threat intelligence platform, security analysts can streamline investigations and speed the time to action.
Join this webinar to hear from the IBM Security Chief Technology Officer for Threat Intelligence to learn:
How the IBM Security Operations and Response architecture can help you identify and response to threats faster
Why threat intelligence is a fundamental component of security investigations
How to seamlessly integrate threat intelligence into existing security solutions for immediate action
Joel Oseiga Aleburu presented on architecting for security resilience. The presentation covered basic definitions like security, vulnerability and resilience. It discussed basic principles for secure design like earning trust rather than assuming it. The presentation also covered application threat modeling, common architectural flaws, and questions. It emphasized that processes, not just products, prevent cyber attacks and outlined techniques like STRIDE for threat modeling.
Small businesses are appealing targets for cyberattacks due to having more digital assets than individual consumers but less security than larger enterprises. Common cyberattacks against small businesses include phishing, ransomware, and malware which aim to steal sensitive data. While large breaches make headlines, over 60% of data breach victims are small businesses. It is important for small businesses to implement cybersecurity best practices such as keeping software updated, educating employees, having formal security policies, and purchasing cybersecurity insurance to protect against the costs of a breach.
With more than 50,000 new malware created every day organisations can no longer afford to risk the financial and reputational impacts of a security or data breach, which can be too much for a business to recover from. Because of this, IT managers face increasing scrutiny and pressure from CEOs, managing directors and boards to prove that they are keeping the organisation secure.
The changing threat landscape means organisations need to be vigilant and smarter about security. While businesses still face threats from infected devices and malware, attackers have also moved beyond that. For example, there is an increasing number of targeted email attacks with cyber criminals spending time to monitor communications so they can imitate emails that are so sophisticated that even relatively savvy users will open them.
This webinar will explore the building blocks required to ensure you have the roadmap required to best protection against cyber attacks. We will provide you with a high level view of the following topics:
· Audit and discovery – What are your weaknesses and are you compliant?
· Education – Do your employees know when not to open that attachment?
· Policy – Do you have the right policies for your industry?
· Technology – Where to start and what has changed?
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
The EU Global Data Protection Regulation (GDPR) and New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) represent a landmark change in the global data protection space. While they originate in different countries and apply to different organizations, their primary message is the same:
Protect your data, or pay a steep price. More specifically, protect the sensitive data you collect from customers.
With deadlines looming, is your organization ready?
The time to act is now. Read more to learn:
--Key mandates and minimum requirements for compliance
--Why a comprehensive data-centric security strategy is invaluable to all data protection and data privacy efforts
--How you can gauge your organization’s incident response capabilities
--How to extend your focus beyond the organization’s figurative four walls to ensure requirements are met throughout your supply chain
The first New York requirements deadline has arrived. With the next deadline of mandates only 6 months away, you don't want to fall behind and leave your organization at risk for potential penalties and fines.
This document discusses incident response and handling. It outlines the key steps in the incident response process: preparation, identification, containment, eradication, recovery, and lessons learned. Preparation involves forming a response team, developing procedures, and gathering resources. Identification involves determining the scope of an incident and preserving evidence. Containment focuses on limiting the damage of an incident through actions like quarantining systems, analyzing initial data, and making backups. Eradication aims to completely remove malicious software from affected systems.
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...patmisasi
The document discusses the need for organizations to have an incident response (IR) framework to adequately prepare for security incidents. It introduces the VERIS framework, which can help lay the foundation for an IR program by describing attacks. VERIS provides a common vocabulary for recording and sharing information about security incidents and helps organizations understand the variety of actions, actors, assets, and attributes involved in incidents to improve detection and response capabilities. The document advocates that understanding details about incidents through frameworks like VERIS is important because organizations cannot detect or respond to what they do not understand or know about attacks and attackers.
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma delivered this presentation at Misti's InfoSec World during the Privacy & Risk Summit on March 22, 2018, in Orlando, Florida.
Gainful Information Security is an information security and systems development firm established in Harare, Zimbabwe in 2007 to partner with African private and public sectors for a secure, efficient and cost-effective information lifecycle.
The document discusses key concepts in computer security including confidentiality, integrity, availability, threats, vulnerabilities, attacks, risks, and countermeasures. It defines common computer security terminology such as adversaries, attacks, risks, security policies, and system resources. The document also covers topics like passive and active attacks, security functional requirements, the scope of computer security, and security services related to authentication, access control, data confidentiality, data integrity, non-repudiation, and availability.
this ppt deals with the Information security, threats and control, digital signature,hierarchy of Information baseline. Risk assessment process and security process to handle threats
This document provides guidelines for establishing effective computer security incident response capabilities. It assists organizations in creating incident response teams and processes for efficiently handling incidents. The guidelines can be applied independently of specific hardware, software, protocols or applications. The document recommends establishing planning, preparation, detection and analysis, containment, eradication and recovery as key phases in the incident response process.
Session 1 (one) of the course Information Security and business continuity. Concept of Information security , Term , Trends and Impact are discussed .
Presented at Bangladesh Institute of Management on 21 November 2015.
The document summarizes key concepts from the book "Computer Security: Principles and Practice" by Stallings, Brown, and Bauer. It defines computer security as measures that ensure confidentiality, integrity, and availability of information systems. It outlines threats to computer security like unauthorized disclosure, deception, disruption, and usurpation. It also defines security terminology like attacks, vulnerabilities, risks, and countermeasures. The document presents models for understanding computer security and the relationships between threats, vulnerabilities, attacks, and assets.
Lecture 01- What is Information Security.pptshahadd2021
This document provides an introduction to information security concepts. It defines information security as protecting information and systems from unauthorized access, use, disclosure, disruption or destruction in order to preserve confidentiality, integrity and availability. The goals of information security are prevention, detection and recovery. Key concepts discussed include threats, vulnerabilities, risks, assets, and the CIA triad of confidentiality, integrity and availability. Common types of security attacks like interception, interruption, modification and fabrication are also outlined.
The document discusses key concepts in cloud security including confidentiality, integrity, and availability (CIA triad). It also covers vulnerabilities, threats, attacks, and countermeasures. The objectives of cloud security are to protect systems, data, information, and build trust by preventing attacks, detecting breaches, defending against threats, and deterring attackers through appropriate security measures.
Ethical hacking is becoming more popular with the rise of the internet and other tech-fueled society. SCODE Network offers Ethical hacking training courses with live projects by an expert trainer.
Ethical hacking is becoming more popular with the rise of the internet and other tech-fueled society. Hackers are increasingly becoming more prevalent and ethical hackers help keep our society safe from attacks. SCODE Network offers Ethical hacking training courses with live projects by an expert trainer.
About the PresentationsThe presentations cover the objectives .docxaryan532920
About the Presentations
The presentations cover the objectives found in the opening of each chapter.
All chapter objectives are listed in the beginning of each presentation.
You may customize the presentations to fit your class needs.
Some figures from the chapters are included. A complete set of images from the book can be found on the Instructor Resources disc.
1
Principles of Incident Response and Disaster Recovery, 2nd Edition
Chapter 01
An Overview of Information
Security and Risk Management
2
2
Objectives
Define and explain information security
Identify and explain the basic concepts of risk management
List and discuss the components of contingency planning
Describe the role of information security policy in the development of contingency plans
Principles of Incident Response and Disaster Recovery, 2nd Edition
3
3
Introduction
Contingency planning
Being ready for incidents and disasters
Example: 1/10 of one percent of online users
Allows for two and a half million potential attackers
Example: World Trade Center (WTC) organizations
Had contingency plans due to February 1993 attack
Example: 2008 Gartner report
2/3 of organizations invoked plans in prior two years
Information security includes contingency planning
Ensures confidentiality, integrity, availability of data
Principles of Incident Response and Disaster Recovery, 2nd Edition
4
4
Information Security
Committee on National Security Systems (CNSS) information security definition
Protection of information and its critical elements
Includes systems and hardware storing, transmitting information
Part of the CNSS model (evolved from C.I.A. triangle)
Conceptual framework for understanding security
Information security (InfoSec)
Protection of confidentiality, integrity, and availability of information
In storage, during processing, and during transmission
Principles of Incident Response and Disaster Recovery, 2nd Edition
5
5
Key Information Security Concepts
Threat: object, person, other entity posing potential risk of loss to an asset
Asset: organizational resource being protected
Logical or physical
Attack: attempt to cause damage to or compromise information of supporting systems
Arises from a threat; intentional or unintentional
Threat-agent: threat instance
Specific and identifiable; exploits asset vulnerabilities
Principles of Incident Response and Disaster Recovery, 2nd Edition
6
6
Key Information Security Concepts (cont’d.)
Vulnerability
Flaw or weakness in system security procedures, design, implementation, internal controls
Results in security breach or security policy violation
Well-known or latent
Exercised accidently or intentionally
Exploit: caused by threat-agent
Can exploit system or information through illegal use
Can create an exploit to target a specific vulnerability
Control/safeguard/countermeasure: prevent attack
Principles of Incident Response and Disaster Recovery, 2nd Edition
7
7
Key Information Security Concepts (cont’d.)
Princ.
About the PresentationsThe presentations cover the objectives .docxbartholomeocoombs
About the Presentations
The presentations cover the objectives found in the opening of each chapter.
All chapter objectives are listed in the beginning of each presentation.
You may customize the presentations to fit your class needs.
Some figures from the chapters are included. A complete set of images from the book can be found on the Instructor Resources disc.
1
Principles of Incident Response and Disaster Recovery, 2nd Edition
Chapter 01
An Overview of Information
Security and Risk Management
2
2
Objectives
Define and explain information security
Identify and explain the basic concepts of risk management
List and discuss the components of contingency planning
Describe the role of information security policy in the development of contingency plans
Principles of Incident Response and Disaster Recovery, 2nd Edition
3
3
Introduction
Contingency planning
Being ready for incidents and disasters
Example: 1/10 of one percent of online users
Allows for two and a half million potential attackers
Example: World Trade Center (WTC) organizations
Had contingency plans due to February 1993 attack
Example: 2008 Gartner report
2/3 of organizations invoked plans in prior two years
Information security includes contingency planning
Ensures confidentiality, integrity, availability of data
Principles of Incident Response and Disaster Recovery, 2nd Edition
4
4
Information Security
Committee on National Security Systems (CNSS) information security definition
Protection of information and its critical elements
Includes systems and hardware storing, transmitting information
Part of the CNSS model (evolved from C.I.A. triangle)
Conceptual framework for understanding security
Information security (InfoSec)
Protection of confidentiality, integrity, and availability of information
In storage, during processing, and during transmission
Principles of Incident Response and Disaster Recovery, 2nd Edition
5
5
Key Information Security Concepts
Threat: object, person, other entity posing potential risk of loss to an asset
Asset: organizational resource being protected
Logical or physical
Attack: attempt to cause damage to or compromise information of supporting systems
Arises from a threat; intentional or unintentional
Threat-agent: threat instance
Specific and identifiable; exploits asset vulnerabilities
Principles of Incident Response and Disaster Recovery, 2nd Edition
6
6
Key Information Security Concepts (cont’d.)
Vulnerability
Flaw or weakness in system security procedures, design, implementation, internal controls
Results in security breach or security policy violation
Well-known or latent
Exercised accidently or intentionally
Exploit: caused by threat-agent
Can exploit system or information through illegal use
Can create an exploit to target a specific vulnerability
Control/safeguard/countermeasure: prevent attack
Principles of Incident Response and Disaster Recovery, 2nd Edition
7
7
Key Information Security Concepts (cont’d.)
Princ.
This document discusses network security and defines key concepts. It explains that security aims to protect confidentiality, integrity, and availability of information. The main pillars of security are the CIA triangle of confidentiality, integrity, and availability. Vulnerabilities are weaknesses that can be exploited by threats to carry out attacks, which aim to intercept, interrupt, modify or fabricate information. Common attacks include eavesdropping, cryptanalysis, password pilfering through guessing, social engineering, dictionary attacks and password sniffing. Controls work to reduce vulnerabilities and block threats to prevent harm.
This document provides an overview of key concepts in information security from a lecture on security concepts. It defines security as keeping the possibility of threats low, and discusses specialized security areas like physical, personal, communications, network, and data security. It also defines computer security as protecting computer systems, hardware, software, data and information from threats. The document then examines common security vulnerabilities, threats, and the vulnerability-threat-control paradigm. It discusses goals of security like confidentiality, integrity and availability.
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurvkarthi314
The document discusses network security. It defines computer security, network security, and internet security. The key aspects of network security are confidentiality, integrity, and availability. It describes different types of security attacks like passive attacks involving interception and traffic analysis, and active attacks like masquerade, replay, message modification, and denial of service. It also discusses different impact levels of security breaches and challenges in computer security. Finally, it presents models for network security and network access security.
Information Technology Security BasicsMohan Jadhav
The document discusses various topics related to IT security basics. It begins by providing two examples of security breaches to illustrate why security is important. It then discusses the four virtues of security and the nine rules of security. The document also defines information security, its goal of ensuring confidentiality, integrity and availability of systems, and the potential impacts of security failures. Additionally, it outlines common security definitions, 10 security domains, and provides an overview of access control and application security.
This document provides an introduction to computer security and security trends. It discusses the need for security as information has become a strategic asset for organizations. The main aspects of security are prevention, detection, and reaction. It then covers key security concepts like confidentiality, integrity, availability, authentication, access control, and non-repudiation. The document also examines common security threats like viruses, worms, intruders, insiders, criminal organizations, terrorists, and information warfare and how they can attack systems.
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical)
This document discusses network security. It defines network security and outlines some of the key challenges, such as the increasing sophistication of hacking tools. It then covers security roles, issues, goals, and components. These include authentication, authorization, privacy, integrity, availability, and nonrepudiation. The document also discusses data classification for public/private organizations and controls like administrative, technical, and physical controls. It outlines how to prosecute security breaches and addresses legal liability issues. Finally, it provides recommendations for examining security across an organization's entire network.
Cybersecurity Interview Questions and Answers.pdfJazmine Brown
Cyber security professionals are in high demand, and those willing to learn new skills to enter the area will have plenty of opportunities. Our goal is to present you with the most comprehensive selection of cybersecurity interview questions available.
Some Fundamental Concepts About Information Technology Security & Risks.
Please suggest any edit/changes if required.
I hope this will help you guys :)
The document discusses cyber security and computer security. It defines key terms like computer security, network security, and internet security. It describes security attacks like passive attacks involving eavesdropping and active attacks involving modifying data. It also discusses security services like confidentiality, authentication, and integrity, and security mechanisms like encryption and digital signatures that are used to provide these security services and counter security attacks. Finally, it presents models for network security and network access security.
Strategic Leadership for Managing Evolving Cybersecurity RisksMatthew Rosenquist
2014 NSF Cybersecurity Summit keynote presentation from Matthew Rosenquist, Cybersecurity Strategist for Intel Corp.
Cybersecurity is difficult. It is a serious endeavor which strives to find a balance in managing the security of computing capabilities to protect the technology which connects and enriches the lives of everyone. Characteristics of cyber risk have matured and expanded on the successes of technology innovation, integration, and adoption. It is no longer a game of tactics, but rather a professional discipline, continuous in nature, where to be effective strategic leadership must establish effective and efficient structures for evolving controls to sustain an optimal level of security.
This presentation will discuss the challenges, organizational opportunities, and explore best practices to align investments in security to the risk appetite of an organization.
This document provides an introduction to information security concepts. It defines information security as protecting information and systems from unauthorized access, use, disclosure, disruption or destruction. The key aspects of information security are confidentiality, integrity and availability. Basic security terminology like identification, authentication, access control and confidentiality are explained. Common network vulnerabilities like weak passwords, protocol design flaws, and unauthorized access through modems are also discussed. The importance of network security is to protect company assets, gain competitive advantage and ensure regulatory compliance.
Cryptography and Network Security provides an overview of key concepts in computer and network security. It discusses standards organizations and introduces topics like symmetric and asymmetric encryption, hashing, and network security. The document outlines models for providing security services and mechanisms, explaining how authentication, access control, data confidentiality, and other services can be achieved through the use of cryptographic algorithms, secret keys, and security protocols. It also defines security attacks and the levels of impact breaches may cause.
This document discusses various computer arithmetic operations including addition, subtraction, multiplication, and division for signed magnitude and two's complement data representations. It describes the Booth multiplication algorithm, array multipliers for performing multiplication using combinational circuits, and the division algorithm. It also covers detecting divide overflow conditions.
Cookies and sessions allow servers to remember information about users across multiple web pages. Cookies are small files stored on a user's computer that identify users and can store data to be accessed on subsequent page requests. Sessions use cookies to identify users and store temporary data on the server side to be accessed across multiple pages in one application, such as usernames or preferences. Both cookies and sessions must be started before any page output to ensure headers are sent before the page body.
This document discusses different aspects of functions in programming including declaring and calling functions, passing arguments to functions, and returning values from functions. It also covers variable scope. Some key points covered are declaring functions with and without arguments, specifying default values, returning single values or arrays from functions, and understanding variable scope and how it relates to the global and $GLOBALS keywords and array.
This document discusses various aspects of working with web forms in PHP, including:
1) Useful server variables for forms like QUERY_STRING and SERVER_NAME.
2) Accessing form parameters submitted to the server.
3) Processing forms with functions, including validating form data with techniques like checking for required fields and valid email addresses.
4) Displaying default values or error messages for form fields.
5) Stripping HTML tags from form inputs and encoding special characters for safe display.
The document provides examples of implementing each of these techniques.
The document discusses various programming concepts related to decision making and repetition in code including understanding true and false values, using if/elseif/else statements, equality and relational operators, logical operators, and using while and for loops to repeat code. Specific topics covered include evaluating booleans, making single and multi-line if statements, comparing different data types, negation, and printing select menus with loops.
This document discusses working with arrays in PHP. It covers array basics like creating and accessing arrays, looping through arrays with foreach and for loops, modifying arrays by adding/removing elements and sorting arrays. It also discusses multidimensional arrays, how to create them and access elements within them.
This document discusses text and numbers in programming. It covers defining and manipulating text strings using single or double quotes. Escape characters can be used inside strings. Text can be validated and formatted using various string functions like trim(), strlen(), strtoupper(), substr(), and str_replace(). Numbers can be integers or floats. Variables hold data and can be operated on with arithmetic and assignment operators like +, -, *, /, %, and .=. Variables can also be incremented, decremented, and placed inside strings.
This document provides an introduction and overview of PHP for beginners. It discusses PHP's use for building websites, how PHP code is run on web servers and accessed through browsers. It then highlights some key advantages of PHP like being free, cross-platform, and widely used. It demonstrates a basic "Hello World" PHP program and shows how to output HTML forms and formatted numbers. Finally, it outlines some basic rules of PHP programs regarding tags, syntax, whitespace, comments, and case sensitivity.
The document discusses capacity planning for a data warehouse environment. It notes that capacity planning is important given the large volumes of data and processing in a data warehouse. It describes factors that make capacity planning unique for a data warehouse, such as variable workloads and larger data volumes than operational systems. The document provides guidance on estimating disk storage needs, classifying and estimating processing workloads, creating workload profiles, identifying peak capacity needs, and selecting hardware capacity to meet needs.
Data warehousing involves assembling and managing data from various sources to provide an integrated view of enterprise information. A data warehouse contains consolidated, historical data used to support management decision making. It differs from operational databases by containing aggregated, non-volatile data optimized for queries rather than updates. The extract, transform, load (ETL) process migrates data from source systems to the warehouse, transforming it as needed. Process managers oversee loading, maintaining, and querying the warehouse data.
Search engines allow users to search the vast collection of documents on the web. They consist of crawlers that fetch web pages, indexers that analyze page content and links, and interfaces that allow users to enter queries. Crawlers add pages to an index by following links, and indexers create inverted indexes to map words to pages. When a query is searched, results are retrieved from the index and ranked based on relevance. PageRank is a key algorithm that ranks pages higher that receive more links from other highly ranked pages. While it effectively searches the large, diverse and dynamic web, search poses challenges in understanding ambiguous queries over an evolving collection.
Web mining involves applying data mining techniques to discover useful information from web data. There are three types of web mining: web content mining analyzes data within web pages, web structure mining examines the hyperlink structure between pages, and web usage mining involves analyzing server logs to discover patterns in user behavior and interactions with websites. Web mining has applications in website design, web traffic analysis, e-commerce personalization, and security/crime investigation.
Information privacy and data mining
The document discusses information privacy and data mining. It defines information privacy as an individual's ability to control how information about them is shared. It outlines the basic OECD principles for protecting information privacy, including collection limitation, purpose specification, use limitation, security safeguards, and accountability. It describes common uses of data mining like fraud prevention but also potential misuses that can violate privacy. The document also discusses the primary aims of data mining applications and five pitfalls like unintentional mistakes, intentional abuse, and mission creep.
The document discusses cluster analysis, which groups data objects into clusters so that objects within a cluster are similar but dissimilar to objects in other clusters. It describes key characteristics of clustering, including that it is unsupervised learning and the clusters are determined algorithmically rather than by humans. Various clustering algorithms are covered, including partitioning, hierarchical, density-based, and grid-based methods. Applications of clustering discussed include business intelligence, image recognition, web search, outlier detection, and biology. Requirements for effective clustering in data mining are also outlined.
Association analysis is a technique used to uncover relationships between items in transactional data. It involves finding frequent itemsets whose occurrence exceeds a minimum support threshold, and then generating association rules from these itemsets that satisfy minimum confidence. The Apriori algorithm is commonly used for this task, as it leverages the Apriori property to prune the search space - if an itemset is infrequent, its supersets cannot be frequent. It performs multiple database scans to iteratively grow frequent itemsets and extract high confidence rules.
Classification techniques in data miningKamal Acharya
The document discusses classification algorithms in machine learning. It provides an overview of various classification algorithms including decision tree classifiers, rule-based classifiers, nearest neighbor classifiers, Bayesian classifiers, and artificial neural network classifiers. It then describes the supervised learning process for classification, which involves using a training set to construct a classification model and then applying the model to a test set to classify new data. Finally, it provides a detailed example of how a decision tree classifier is constructed from a training dataset and how it can be used to classify data in the test set.
This document outlines a chapter on data preprocessing that discusses data types, attributes, and preprocessing tasks. It begins by defining data and attributes, then describes different types of attributes like nominal, binary, ordinal, and numeric attributes. It also discusses different types of datasets like records, documents, transactions, and graphs. The major section on data preprocessing outlines why it is important and describes tasks like data cleaning, integration, transformation, reduction, and discretization to prepare dirty or unstructured data for analysis.
Introduction to Data Mining and Data WarehousingKamal Acharya
This document provides details about a course on data mining and data warehousing. The course objectives are to understand the foundational principles and techniques of data mining and data warehousing. The course description covers topics like data preprocessing, classification, association analysis, cluster analysis, and data warehouses. The course is divided into 10 units that cover concepts and algorithms for data mining techniques. Practical exercises are included to apply techniques to real-world data problems.
Decolonizing Universal Design for LearningFrederic Fovet
UDL has gained in popularity over the last decade both in the K-12 and the post-secondary sectors. The usefulness of UDL to create inclusive learning experiences for the full array of diverse learners has been well documented in the literature, and there is now increasing scholarship examining the process of integrating UDL strategically across organisations. One concern, however, remains under-reported and under-researched. Much of the scholarship on UDL ironically remains while and Eurocentric. Even if UDL, as a discourse, considers the decolonization of the curriculum, it is abundantly clear that the research and advocacy related to UDL originates almost exclusively from the Global North and from a Euro-Caucasian authorship. It is argued that it is high time for the way UDL has been monopolized by Global North scholars and practitioners to be challenged. Voices discussing and framing UDL, from the Global South and Indigenous communities, must be amplified and showcased in order to rectify this glaring imbalance and contradiction.
This session represents an opportunity for the author to reflect on a volume he has just finished editing entitled Decolonizing UDL and to highlight and share insights into the key innovations, promising practices, and calls for change, originating from the Global South and Indigenous Communities, that have woven the canvas of this book. The session seeks to create a space for critical dialogue, for the challenging of existing power dynamics within the UDL scholarship, and for the emergence of transformative voices from underrepresented communities. The workshop will use the UDL principles scrupulously to engage participants in diverse ways (challenging single story approaches to the narrative that surrounds UDL implementation) , as well as offer multiple means of action and expression for them to gain ownership over the key themes and concerns of the session (by encouraging a broad range of interventions, contributions, and stances).
CapTechTalks Webinar Slides June 2024 Donovan Wright.pptxCapitolTechU
Slides from a Capitol Technology University webinar held June 20, 2024. The webinar featured Dr. Donovan Wright, presenting on the Department of Defense Digital Transformation.
How to Create a Stage or a Pipeline in Odoo 17 CRMCeline George
Using CRM module, we can manage and keep track of all new leads and opportunities in one location. It helps to manage your sales pipeline with customizable stages. In this slide let’s discuss how to create a stage or pipeline inside the CRM module in odoo 17.
Brand Guideline of Bashundhara A4 Paper - 2024khabri85
It outlines the basic identity elements such as symbol, logotype, colors, and typefaces. It provides examples of applying the identity to materials like letterhead, business cards, reports, folders, and websites.
Post init hook in the odoo 17 ERP ModuleCeline George
In Odoo, hooks are functions that are presented as a string in the __init__ file of a module. They are the functions that can execute before and after the existing code.
(𝐓𝐋𝐄 𝟏𝟎𝟎) (𝐋𝐞𝐬𝐬𝐨𝐧 3)-𝐏𝐫𝐞𝐥𝐢𝐦𝐬
Lesson Outcomes:
- students will be able to identify and name various types of ornamental plants commonly used in landscaping and decoration, classifying them based on their characteristics such as foliage, flowering, and growth habits. They will understand the ecological, aesthetic, and economic benefits of ornamental plants, including their roles in improving air quality, providing habitats for wildlife, and enhancing the visual appeal of environments. Additionally, students will demonstrate knowledge of the basic requirements for growing ornamental plants, ensuring they can effectively cultivate and maintain these plants in various settings.
2. Syllabus:
Basic components of security (Confidentiality, Integrity and
Availability),
Security threats (Snooping, Modification, Masquerading,
repudiation of origin, denial of receipt, Delay, Denial of
service),
Issues with security (Operational issues, human issues),
Security Policies, Type of security policy,
Access control, Type of access control (Introduction to MAC,
DAC, Originator Controlled Access Control, Role Based
Access Control)
Overview of the Bell-LaPadula Model and Biba integrity
model.
2
3. Network Security: Analogy..!!
“The art of war teaches us to rely not on the likelihood
of the enemy's not coming, but on our own readiness to
receive him; not on the chance of his not attacking, but
rather on the fact that we have made our position
unassailable.”
- The Art of War, Sun Tzu
3
4. Computer Security: ?
The protection afforded to an automated information
system in order to attain the applicable objectives of
preserving the integrity, availability and confidentiality
of information system resources
(includes hardware, software, firmware, information/data, and
telecommunications)
- NIST 1995
4
6. Basic components of security
Confidentiality
Data confidentiality: Assures that confidential information is
not disclosed to unauthorized individuals
Privacy: Assures that individual control or influence what
information may be collected and stored
Integrity
Data integrity: assures that information and programs are
changed only in a specified and authorized manner
System integrity: Assures that a system performs its
operations in unimpaired manner
Availability: assure that systems works promptly and service is
not denied to authorized users
6
7. Basic components of security
Although the use of the CIA triad to define security
objectives is well established, some in the security
field feel that additional concepts are needed to
present a complete picture.
Two of the most commonly mentioned are:
Authenticity: The property of being genuine and being
able to be verified and trusted; confidence in the validity of
a transmission, a message, or message originator.
Accountability: The security goal that generates the
requirement for actions of an entity to be traced uniquely to
that entity.
7
8. Levels of security breach impact
Low: the loss will have a limited impact,
e.g., a degradation in mission or minor damage or minor
financial loss or minor harm
Moderate: the loss has a serious effect,
e.g., significance degradation on mission or significant
harm to individuals but no loss of life or threatening
injuries
High: the loss has severe or catastrophic adverse
effect on operations, organizational assets or on
individuals
e.g., loss of life
8
9. Examples of security requirements: Confidentiality
Student grade information is an asset whose
confidentiality is considered to be very high
The US FERPAAct: grades should only be available to
students, their parents, and their employers (when required
for the job)
Student enrollment information: may have moderate
confidentiality rating; less damage if enclosed
Directory information: low confidentiality rating;
often available publicly
9
10. Examples of security requirements: Integrity
A hospital patient’s allergy information (high
integrity data): a doctor should be able to trust that
the info is correct and current
If a nurse deliberately falsifies the data, the database should
be restored to a trusted basis and the falsified information
traced back to the person who did it
An online newsgroup registration data: moderate
level of integrity
An example of low integrity requirement:
anonymous online poll (inaccuracy is well
understood)
10
11. Examples of security requirements: Availability
A system that provides authentication: high
availability requirement
If customers cannot access resources, the loss of services
could result in financial loss
A public website for a university: a moderate
availably requirement; not critical but causes
embarrassment
An online telephone directory lookup: a low
availability requirement because unavailability is
mostly annoyance (there are alternative sources)
11
15. Hacker vs. Cracker: Assignment
“All Crackers are Hackers, But Not all Hackers
are Crackers”
Is This Statement True ???
Justify this Statement with a Suitable Example.
15
16. Threat Vs. Attack
A threat is a “potential” violation of security
The violation need not actually occur
The fact that the violation might occur makes it a
threat
It is important to guard against threats and be
prepared for the actual violation
The actual violation of security is called an
attack
16
17. Challenges of computer security
Computer security is not simple
One must consider potential (unexpected) attacks
Procedures used are often counter-intuitive
Must decide where to deploy mechanisms
Involve algorithms and secret info (keys)
A battle of wits between attacker / admin
It is not perceived on benefit until fails
Requires constant monitoring
Too often an after-thought (not integral)
Regarded as impediment to using system
17
18. Security: Categories ??
Information Security
Protecting Information from Intruders who could possibly
harm the state of Information.
Information in encrypted form is most widely used form of
security.
Network Security
Protecting Information from Intruders during its transmission.
Protecting Network Services From Intruders.
Very Critical and difficult to maintain
18
19. Security: Categories ??
Computer Security
Protecting system from malicious software, network attacks.
Generic name for the collection of tools designed to protect
data and to prevent hackers.
Keep up a system running.
Internet Security
Measure to protect data during their transmission over a
collection of interconnected networks.
19
20. Security: Attacks..!!
Security Attacks Exploitation of Vulnerability.
Types of Security Attacks.
Passive Attacks
A passive attack attempts to learn or make use of information
from the system but does not affect system resources.
Active Attacks
An active attack attempts to alter system resources or affect their
operation.
20
27. Common security attacks
Interruption, delay, or denial of service
System assets or information become unavailable or are rendered
unavailable
Interception or snooping
Unauthorized party gains access to information by browsing through files or
reading communications
Modification or alteration
Unauthorized party changes information in transit or information stored for
subsequent access
Fabrication, masquerade, or spoofing
Spurious information is inserted into the system or network by making it
appear as if it is from a legitimate entity
Repudiation of origin
False denial that an entity created/sent something
Denial of Receipt
False denial that an entity received something
27
28. Classes of Threats
Disclosure: unauthorized access to information
Snooping
Deception: acceptance of false data
Modification, masquerading/spoofing, repudiation of
origin, denial of receipt
Disruption: interruption/prevention of correct
operation
Modification
Usurpation: unauthorized control of a system
component
Modification, masquerading/spoofing, delay, denial of
service
28
30. Policy and Mechanism
Security Policy:
A statement of what is, and what is not, allowed.
Security Mechanism:
A method, tool, or procedure for enforcing a
security policy.
30
31. Types of Security Policies
A military security policy (also called a governmental
security policy) is a security policy developed
primarily to provide confidentiality.
A commercial security policy is a security policy
developed primarily to provide integrity.
A confidentiality policy is a security policy dealing
only with confidentiality.
An integrity policy is a security policy dealing only
with integrity.
31
32. Types of Security Policies: Some common security policies
Acceptable use policy
Defines what actions users of a system may perform while using computing and
networking equipment
Human resource policy
Policies of the organization that address human resources
Password management policy
A password management policy should clearly address how passwords are
managed
Privacy policy
Organizations should have a privacy policy that outlines how the organization uses
information it collects
Disposal and destruction policy
A disposal and destruction policy that addresses the disposing of resources is
considered essential
Service-level agreement
Contract between a vendor and an organization for services
32
33. Types of Security Policies
Figure: Security Policies Cycle along with Types of Security Policies
33
36. Goals of Security
Prevention: Guarantee that an attack will fail
Detection: Determine that a system is under attack,
or has been attacked, and report it
Recovery:
Off-line recovery: stop an attack, assess and repair damage
On-line recovery: respond to an attack reactively to
maintain essential services
36
37. Issues with Security: Operational Issues
Cost-Benefit Analysis
Benefits vs. total cost
Is it cheaper to prevent or recover?
Risk Analysis
Should we protect something?
How much should we protect this thing?
Risk depends on environment and change with time
Laws and Customs
Are desired security measures illegal?
Will people do them?
Affects availability and use of technology
37
38. Issues with Security: Human Issues
Organizational Problems
Power and responsibility
Financial benefits
People problems
Outsiders and insiders
Which do you think is the real threat?
Social engineering
38
39. Access Control
Security technique for the prevention of unauthorized
use of a resource in a computing environment
(i.e., this service controls who can have access to a
resource, under what conditions access can occur, and what
those accessing the resource are allowed to do).
In the context of network security, access control is
the ability to limit and control the access to host
systems and applications via communications links.
To achieve this, each entity trying to gain access must
first be identified, or authenticated, so that access
rights can be tailored to the individual.
39
41. Access Control
Access control systems perform authorization
identification, authentication, access approval, and
accountability of entities through login credentials
including passwords, personal identification numbers
(PINs), biometric scans, and physical or electronic keys.
There are two main types of access control: physical
and logical.
Physical access control limits access to campuses, buildings,
rooms and physical IT assets.
Logical access limits connections to computer networks,
system files and data.
41
42. Access Control: Categories
Some times Categories of access control are also
called Types of access control
The four main categories of access control are:
Mandatory Access Control (MAC) or Rule-based
Access Control
Discretionary Access Control (DAC)
Role-based Access Control (RBAC)
Originator Controlled Access Control (ORCON or
ORG-CON)
42
43. Access Control: MAC
When a system mechanism controls access to an object
and an individual user cannot alter that access, the control
is a mandatory access control (MAC), occasionally called
a rule-based access control.
The operating system enforces MAC. Neither the subject
nor the owner of the object can determine whether access
is granted.
Typically, the system mechanism will check information
associated with both the subject and the object to
determine whether the subject should access the object.
Rules describe the conditions under which access is
allowed.
43
44. Access Control: DAC
If an individual user can set an access control mechanism
to allow or deny access to an object, that mechanism is a
discretionary access control (DAC), also called an
identity-based access control (IBAC).
DAC base access rights on the identity of the subject and
the identity of the object involved.
Identity is the key; the owner of the object constrains
who can access it by allowing only particular subjects to
have access.
The owner states the constraint in terms of the identity of
the subject, or the owner of the subject.
44
45. Access Control: RBAC
Role-based access control (RBAC) is a method of
regulating access to computer or network resources
based on the roles of individual users within an
enterprise.
In this context, access is the ability of an individual
user to perform a specific task, such as view, create,
or modify a file.
Roles are defined according to job competency,
authority, and responsibility within the enterprise.
45
46. Access Control: ORCON or ORG-CON
An originator controlled access control (ORCON or
ORGCON) bases access on the creator of an object
(or the information it contains).
The goal of this control is to allow the originator of
the file (or of the information it contains) to control
the dissemination of the information.
The owner of the file has no control over who may
access the file.
46
47. Security Models
Bell-LaPadula Model (1973)
Biba Model (1977)
Clark-Wilson Model (1987)
Access Control Matrix
Information Flow Model
Noninterference Model
Chinese Wall Model
Lattice Model
Confidentiality
Integrity
Availability
Security Requirements Security Models
47
48. Overview of the Bell-LaPadula Model
Funded by the U.S. government, Bell-LaPadula model is
the first mathematical model of a multilevel security
policy. Because users with different clearances use the
system, and the system processes data with different
classifications.
Is a state machine model that enforce the confidentiality
aspects of access control, but not with integrity or
availability
Is an information flow security model as it ensures
information does not flow in an insecure manner.
All mandatory access control (MAC) model are based on
the Bell-LaPadula model.
48
49. Overview of the Bell-LaPadula Model
The Simple Security Property (ss Property) states that a
subject at a given security level cannot read data that
resides at a higher security level (No Read Up).
The * (star) Security Property states that a subject in a
given security level cannot write information to a lower
security level. (No Write Down).
The Strong Star Property states that a subject that has read
and write capabilities can only perform those functions at
the same security level, nothing higher and nothing lower.
A subject to be able to read and write to an object, the
clearance and classification must be equal.
49
50. Overview of the Bell-LaPadula Model
Simple
Security
Property
Star (*)
Property
Strong
Star (*)
Property
Layer of
Lower Secrecy
Layer of
Higher Secrecy
Read Write Read/Write
Divulging
Secrets
Divulging
SecretsΧ Χ
Χ Reading
Secrets
Reading
Secrets
Χ
50
51. Bell-LaPadula Model: Example
security level subject object
Top Secret Tamara Personnel Files
Secret Samuel E-Mail Files
Confidential Claire Activity Logs
Unclassified James Telephone Lists
• Tamara can read all files
• Claire cannot read Personnel or E-Mail Files
• James can only read Telephone Lists
51
52. Overview of the Biba Integrity Model
Developed in 1977, the Biba integrity model
mathematically describes read and write restrictions
based on integrity access classes of subjects and
objects. It is the first model to address integrity.
Is an information flow model as it is concerned about
data flowing from one level to another.
The model looks similar to the Bell-LaPadula Model;
however, the read-write conditions are reversed.
52
53. Overview of the Biba Integrity Model
The Simple Integrity Axiom: States that a subject at one
level of integrity is not permitted to observe (read) an
object of a lower integrity. No Read Down.
The * (Star) Integrity Axiom: States that an object at
one level of integrity is not permitted to modify (write
to) an object of a higher level of integrity. No Write Up.
Invocation property states that a subject at one level of
integrity cannot invoke (call up) a subject at a higher
level of integrity.
53
54. Overview of the Biba Integrity Model
Simple
Integrity
Property
Integrity
Star (*)
Property
Layer of
Lower Secrecy
Read Write
Χ
ContaminationΧ
Get
Contaminated
54
55. Overview of the Biba Integrity Model
The Biba model can be extended to include an access
operation called invoke. A subject can invoke another
subject, such as a software utility, to access an object.
The subject cannot send message (logical request for
service) to subjects of higher integrity. Subjects are
only allowed to invoke utilities or tools at the same or
lower integrity level (otherwise, a dirty subject could
use a clean tool to access or contaminate a clean
object).
55