1 / 31

IN5280 Security by Design

IN5280 Security by Design. Introduction. Who am I?. Lillian Røstad, PhD Adjunct Associate Professor, UiO Head of Cyber Security Advisory , Sopra Steria Previously Adjunct Associate Professor, NTNU (2004-2018), teaching : TDT4237 Software Security TTM4175 Ethical Hacking

dteri
Download Presentation

IN5280 Security by Design

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IN5280 Security by Design Introduction

  2. Who am I? • Lillian Røstad, PhD • AdjunctAssociate Professor, UiO • Head of Cyber Security Advisory, Sopra Steria Previously • AdjunctAssociate Professor, NTNU (2004-2018), teaching: • TDT4237 Software Security • TTM4175 Ethical Hacking • Head ofinformationsecurity unit, Difi (2013-2015) • CISO, Lånekassen (2009-2013) • Research scientist, informationsecurity group, SINTEF (2002-2009)

  3. Who areyou? • Name • Yearofstudy • Motivation for taking thecourse • Why? • Expectations for thecourse • What? • Previousexperiencewith cyber security • Courses taken? • Previousexperiencewithsoftwaredevelopment • Courses taken?

  4. Curriculum

  5. Lecture plan • Thursday 10:15-12:00 – Lecture • Friday 10:15-12:00 – Guidanceonhomeexams

  6. Exam • Home exam – 40% • Final exam – 60% • Home exam part 1 • Hand-out Friday February 8th • Deadline Friday March 1st @4pm • Home exam part 2 • Hand-out Friday March 22nd • Deadline Friday April 26th @4pm • Exam June 5th @9am (4 hours), Inspera

  7. Home exam - groups • 2-3 students per group • Submit to lilliaro@uio.no by February 1st • If youdon’tsubmit a group, youwill be assigned to one • Home exam part 1 – a case to be solved • Home exam part 2 – (probably) an essay on an approvedtopic

  8. NewsBites

  9. World Economic Forum Global Risk Report 2019

  10. Researchers found an average global preference for: • sparing humans over animals • more people over less • the younger over the older

  11. "Only the (weak) preference for sparing pedestrians over passengers and the (moderate) preference for sparing the lawful over the unlawful appear to be shared to the same extent in all clusters."

  12. Security by Design

  13. Definition

  14. Vulnerability Attack Incident Let'stry to make make less ofthese!

  15. The Trinity of Trouble Connectivity Complexity Extensibility

  16. The three pillars of software security

  17. BUG

  18. FLAW

  19. No more - «Penetrate & Patch» A movetowards: Building Security In Photos: Colourbox

  20. RISK

  21. The Risk Management Framework (RMF) Assets

  22. AssetsIdentification – Categorization – Assessment Knowwhatyou have – thatneeds to be protected

  23. Assets

  24. Types ofassets • Information assets, examples: • Customer data • Employee data • CRM data • Software assets, examples: • E-mail system • Online ordering system • Commonauthentication (SSO) system • Physicalassets, examples: • Buildings • Servers • Network equipment

  25. Case – Digital exam system • The Universityof Southern Nomansland has decided to procure a Digital Exam System • This new system should support: • Creationofexamsincludingcollaborationonthistask • Safekeepingofexamsuntiltheexact time theexaminationbegins • Examinationincluding hand-in ofcompletedexams • Distribution ofcompletedexams to censors • Communicationofresult to students • Receive and managecomplaints from students • Communicationof final results to students

  26. Task 1 • Identifyassets for the digital exam system • Information • Software • Physical

  27. Task 2 • Canyoucategorizetheidentifiedinformationassets?

  28. Task3 • Assessthecriticalityoftheassetswithrespect to • Confidentiality • Integrity • Availability

More Related