Computer security set of slides 1
This presentation is the property of its rightful owner.
Sponsored Links
1 / 36

Computer Security Set of slides 1 PowerPoint PPT Presentation


  • 79 Views
  • Uploaded on
  • Presentation posted in: General

Computer Security Set of slides 1. Dr Alexei Vernitski. Information security. In this module, we concentrate on information security We speak less about physical security – for example: ( Millfields Primary School laptop thefts) http ://www.lapsafe.com/about-us/case-studies/millfields

Download Presentation

Computer Security Set of slides 1

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Computer security set of slides 1

Computer SecuritySet of slides 1

Dr Alexei Vernitski


Information security

Information security

  • In this module, we concentrate on information security

  • We speak less about physical security – for example:

    (Millfields Primary School laptop thefts)

    http://www.lapsafe.com/about-us/case-studies/millfields

    http://blogs.absolute.com/blog/absolute-software-foils-repeat-thefts-at-millfields-school/

  • We do not speak about bugs in computer software – for example:

    (Bug in Post Office computer system)

    http://www.bbc.co.uk/news/uk-23233573


Example from a web site

Example from a web site

  • Your password is stored securely using RSA Encryption with a 1024-bit key, which is the standard used for secure online bank account access.

  • We use industry-standard 128 bit secure socket layer SSL encryption to protect data transmissions between your browser and our servers, such as your personal information.

    http://www.billmonitor.com/security.html


Questions

Questions

  • Your password is stored securely using RSA Encryption with a 1024-bit key, which is the standard used for secure online bank account access.

  • We use industry-standard 128 bit secure socket layer SSL encryption to protect data transmissions between your browser and our servers, such as your personal information.

  • What is more secure: 1024 bits or 128 bits?

  • Is either of these two encodings secure?

  • Or are they both secure? In this case, why use both?

  • What is RSA?

  • Which security goals are achieved by these measures?


Security goals

Security goals

  • Confidentiality

  • Integrity

  • Availability

  • Some others, such as non-repudiation

    (read more in the textbooks)


Example electronic voting system

Example: electronic voting system

  • http://www.youtube.com/watch?v=QdpGd74DrBM


For discussion

For discussion

  • Confidentiality

  • Integrity

  • Availability

  • Some others, such as non-repudiation

  • Consider an electronic voting system

  • How can these goals be achieved or not achieved?


Questions1

Questions

  • Your password is stored securely using RSA Encryption with a 1024-bit key, which is the standard used for secure online bank account access.

  • We use industry-standard 128 bit secure socket layer SSL encryption to protect data transmissions between your browser and our servers, such as your personal information.

  • What is more secure: 1024 bits or 128 bits?

  • Is either of these two encodings secure?

  • Or are they both secure? In this case, why use both?

  • What is RSA?

  • Which security goals are achieved by these measures?


Example from a web site1

Example from a web site

  • We have industry standard and proprietary network monitoring tools constantly running in our system in order to prevent security breaches and protect the security of your data.

  • In addition, our secure page employs industry standard encryption.

    http://www.facebook.com/help/212183815469410/


Questions2

Questions

  • We have industry standard and proprietary network monitoring tools constantly running in our system in order to prevent security breaches and protect the security of your data.

  • In addition, our secure page employs industry standard encryption.

  • Which security goals are important for Facebook?

  • Which security goals are achieved by the described measures?


Example from a news item

Example from a news item

  • Sony has admitted that the personal data of PSN users, which may have been illegally accessed in a recent attack on the system, was not encrypted.

  • Thankfully, credit card information was stored separately to the personal data and was encrypted.

    http://www.bit-tech.net/news/gaming/2011/04/28/sony-admits-personal-data-was-not-encrypted/1


Questions3

Questions

  • Sony has admitted that the personal data of PSN users, which may have been illegally accessed in a recent attack on the system, was not encrypted.

  • Thankfully, credit card information was stored separately to the personal data and was encrypted.

  • Which security goals were not achieved by Sony?

  • Would encryption help to achieve these goals?


From recent research

From recent research

  • Firms using encryption software are more careless about controlling internal access to encrypted data and their employees are more careless about computer equipment containing encrypted data.

    http://policybythenumbers.blogspot.co.uk/2011/12/protecting-personal-data-through.html


For discussion1

For discussion

  • Firms using encryption software are more careless about controlling internal access to encrypted data and their employees are more careless about computer equipment containing encrypted data.

  • Do you agree with these research findings?

  • Does this mean that encryption should not be used?


Example from a web site2

Example from a web site

  • iCloud is built with industry-standard security practices and employs strict policies to protect your data.

    http://support.apple.com/kb/HT4865

  • Apple takes precautions — including administrative, technical and physical measures — to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, disclosure, alteration and destruction.

    http://www.apple.com/uk/privacy/


Attack analysis

Attack analysis

  • Threat

  • Vulnerability

  • Attack

  • Control

    (read more in the textbooks)


Attack analysis1

Attack analysis

  • It is important to remember that in this context, words such as ‘threat’ and ‘control’ are used in special meanings

  • A threat describes what can be stolen or damaged

  • A control describes how a vulnerability can be stopped or repaired


An informal example

An informal example


For discussion2

For discussion

  • Sony has admitted that the personal data of PSN users, which may have been illegally accessed in a recent attack on the system, was not encrypted.

  • Analyse this news item using the terms

    • Threat

    • Vulnerability

    • Attack

    • Control


Example from a news item1

Example from a news item

  • MI6 and the CIA have been warned that intelligence may have been compromised by an agent in Switzerland who downloaded vast quantities of data onto portable hard drives and carried it out of a secure building.

    http://www.telegraph.co.uk/news/9722715/MI6-secrets-threatened-as-Swiss-spy-steals-a-mountain-of-data.html

  • The sources say that he downloaded "terabytes" of classified material from the Swiss intelligence service's servers onto portable hard drives. He then left the government building with a backpack containing the hard drives.

    http://www.zdnet.com/swiss-spy-agency-warns-cia-mi6-over-massive-secret-data-theft-7000008282/


For discussion3

For discussion

  • MI6 and the CIA have been warned that intelligence may have been compromised by an agent in Switzerland who downloaded vast quantities of data onto portable hard drives and carried it out of a secure building.

  • The sources say that he downloaded "terabytes" of classified material from the Swiss intelligence service's servers onto portable hard drives. He then left the government building with a backpack containing the hard drives.

  • Analyse this news item using the terms

    • Threat

    • Vulnerability

    • Attack

    • Control


Defence against attack types of control

Defence against attack: types of control

You may use the following verbs to describe the action of controls:

  • Preempt

  • Prevent

  • Deter

  • Detect

  • Deflect

  • Recover

    (read more in the textbooks)


For discussion4

For discussion

  • Student Rachel Hyndman, 20, from Glasgow, believes she was the victim of webcam hacking. She spotted the camera on her laptop had switched itself on while she was watching a DVD in the bath. She says: "I was sitting in the bath, trying to relax, and suddenly someone potentially has access to me in this incredibly private moment and it's horrifying. To have it happen to you without your consent is horribly violating.“

    http://www.bbc.co.uk/news/uk-22967622


For discussion5

For discussion

  • She spotted the camera on her laptop had switched itself on while she was watching a DVD in the bath. She says: "I was sitting in the bath, trying to relax, and suddenly someone potentially has access to me in this incredibly private moment and it's horrifying.

  • Discuss which types of control could have been used to defend against the attack

    • Preemption

    • Prevention

    • Deterrence

    • Detection

    • Deflection

    • Recovery


For discussion6

For discussion

  • Sony has admitted that the personal data of PSN users, which may have been illegally accessed in a recent attack on the system, was not encrypted.

  • Discuss which types of control could have been used to defend against the attack

    • Preemption

    • Prevention

    • Deterrence

    • Detection

    • Deflection

    • Recovery


Example online shop

Example: online shop

  • http://www.amazon.co.uk/

  • http://www.johnlewis.com/

  • http://store.apple.com/uk


For discussion online shop

For discussion: online shop

  • Confidentiality

  • Integrity

  • Availability

  • (also non-repudiation)

  • Threat

  • Vulnerability

  • Attack

  • Control

    • Preemption

    • Prevention

    • Deterrence

    • Detection

    • Deflection

    • Recovery


Security policy

Security policy

Example: an excerpt from Amazon security policy

  • We work to protect the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input.

  • We reveal only the last four digits of your credit card numbers when confirming an order. Of course, we transmit the entire credit card number to the appropriate credit card company during order processing.

  • We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personally identifiable customer information. Our security procedures mean that we may occasionally request proof of identity before we disclose personal information to you.

  • It is important for you to protect against unauthorised access to your password and to your computer. Be sure to sign off when you finish using a shared computer.


Homework

Homework

  • Find the security policy of the University of Essex.

  • Read it, paying attention to security goals, attack analysis and controls.


Sample exam questions

Sample exam questions

  • List three main types of security goals

  • Apple’s security policy says that Apple takes measures ‘against unauthorised access, disclosure, alteration and destruction’. Explain precisely which security goals would be compromised by each of the following: unauthorised access, disclosure, alteration and destruction.


Sample exam questions1

Sample exam questions

  • Read the news item:

    • A former Sun newspaper reporter Ben Ashford has been charged with an offence of unauthorised access to computer material. The charge alleges that he "caused a computer to perform a function with intent to secure unauthorised access to a program or data held in a computer, knowing that such access was unauthorised".

  • Explain precisely which security goals could be compromised by Ben Ashford’s alleged actions


Sample exam questions2

Sample exam questions

  • Explain in your own words what the terms threat and vulnerability mean

  • Read the news item:Social networking website LinkedIn has said some of its members' passwords have been "compromised" after reports that more than six million passwords had been leaked onto the internet.

  • Comment on this news item using all the necessary terms for attack analysis


Sample exam questions3

Sample exam questions

  • Read the news item:

    • Sony has admitted that the personal data of PSN users, which may have been illegally accessed in a recent attack on the system, was not encrypted.

    • Thankfully, credit card information was stored separately to the personal data and was encrypted.

  • Comment on this news item using your knowledge of the types of controls


Sample exam questions4

Sample exam questions

  • Read the news item:

    • MI6 and the CIA have been warned that intelligence may have been compromised by an agent in Switzerland who downloaded vast quantities of data onto portable hard drives and carried it out of a secure building.

    • The sources say that he downloaded "terabytes" of classified material from the Swiss intelligence service's servers onto portable hard drives. He then left the government building with a backpack containing the hard drives.

  • Comment on this news item, using the correct terms related to security goals, attack analysis and control types.


Sample exam questions5

Sample exam questions

  • The web site of a company claims:

    • We have industry standard and proprietary network monitoring tools constantly running in our system in order to prevent security breaches and protect the security of your data.

    • In addition, our secure page employs industry standard encryption.

  • Improve this fragment of the company’s security policy, using the correct terms related to security goals, attack analysis and control types.


Sample exam questions6

Sample exam questions

  • The web site of a company claims:

    • Your password is stored securely using RSA Encryption with a 1024-bit key

    • We use industry-standard 128 bit secure socket layer SSL encryption

  • Defend this security policy, explaining why a 1024-bit encryption is used in one case, and a 128-bit encryption in the other.


  • Login