cit 380 securing computer systems l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
CIT 380: Securing Computer Systems PowerPoint Presentation
Download Presentation
CIT 380: Securing Computer Systems

Loading in 2 Seconds...

play fullscreen
1 / 42

CIT 380: Securing Computer Systems - PowerPoint PPT Presentation


  • 323 Views
  • Uploaded on

CIT 380: Securing Computer Systems Policies Why Policies? People are often the security problem. NKU Password Policy https://www.nku.edu/password/index.php NKU Acceptable Use Policy for Technology Resources http://it.nku.edu/itsecurity/docs/acceptableusepolicy.pdf Types of Security (CIA)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CIT 380: Securing Computer Systems' - Lucy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cit 380 securing computer systems

CIT 380: Securing Computer Systems

Policies

CIT 380: Securing Computer Systems

why policies
Why Policies?
  • People are often the security problem.

CIT 380: Securing Computer Systems

nku password policy
NKU Password Policy
  • https://www.nku.edu/password/index.php

CIT 380: Securing Computer Systems

nku acceptable use policy for technology resources
NKU Acceptable Use Policy for Technology Resources
  • http://it.nku.edu/itsecurity/docs/acceptableusepolicy.pdf

CIT 380: Securing Computer Systems

types of security cia
Types of Security (CIA)
  • Confidentiality
  • Integrity
  • Availability

CIT 380: Securing Computer Systems

confidentiality
Confidentiality
  • Keeping information secret
    • Bank records
    • Medical records
    • Student records
    • Personally identifiable information

CIT 380: Securing Computer Systems

integrity
Integrity
  • Accuracy and reliability of information
    • You are charged correctly for a purchase
    • Your bank balance is correct
    • You register for the correct class

CIT 380: Securing Computer Systems

availability
Availability
  • Reliable and timely access
    • Email is accessible
    • Can access airline reservation system

CIT 380: Securing Computer Systems

which is most important
Which is most important?
  • National Defense
    • Confidentiality
  • Banking
    • Integrity

CIT 380: Securing Computer Systems

security planning
Security Planning
  • Planning to address security needs.
  • Risk assessment.
  • Crafting policies to reflect risks and needs.
  • Implementing security.
  • Audit and incident response.

CIT 380: Securing Computer Systems

trust
Trust
  • Security professionals generally don’t refer to a computer system as being “secure” or “unsecure.”
  • Trust – level of confidence that a computer system will behave as expected.

CIT 380: Securing Computer Systems

risk assessment
Risk Assessment
  • Identify assets and their value
  • Identify risk to assets
  • Calculate risk

CIT 380: Securing Computer Systems

risk assessment13
Risk Assessment
  • What assets are you trying to protect?
  • What are the risks to those assets?
  • How well does each potential security solution mitigate those risks?
  • What other risks does the security solutions impose on me?
  • What costs and trade-offs do the security solutions create?

CIT 380: Securing Computer Systems

identify assets
Identify Assets?
  • Home computer system
  • E-commerce web server

CIT 380: Securing Computer Systems

identifying assets
Tangibles

Computers

Data

Backups

Printouts

Software media

HR records

Intangibles

Privacy

Passwords

Reputation

Goodwill

Performance

Identifying Assets

CIT 380: Securing Computer Systems

identify risk
Identify Risk?
  • Home computer system
  • E-commerce web server

CIT 380: Securing Computer Systems

identifying risks
Identifying Risks
  • Loss of key personnel
  • Loss of key vendor or service provider
  • Loss of power
  • Loss of phone / network
  • Theft of laptops, USB keys, backups
  • Introduction of malware
  • Hardware failure
  • Software bugs
  • Network attacks

CIT 380: Securing Computer Systems

calculate risk
Calculate Risk
  • Cost-Benefit Analysis
    • Cost of Loss
    • Probability of Loss
    • Cost of Prevention
  • Levels of importance
    • High, Medium, Low
  • Best Practices

CIT 380: Securing Computer Systems

cost benefit analysis
Cost-Benefit Analysis

Cost of a Loss

  • Direct cost of lost hardware.
  • Cost of idle labor during outage.
  • Cost of time to recover.
  • Cost to reputation.

Probability of a Loss

  • Insurance/power companies have some stats.
  • Records of past experience.

Cost of Prevention

  • Remember that most risks cannot be eliminated.

CIT 380: Securing Computer Systems

risk analysis notes
Risk Analysis Notes

Update your risks regularly

  • Business, technology changes alter risks.

Too many risks to defend against.

  • Rank risks to decide which ones to mitigate.
  • Insure against some risks.
  • Accept other risks.

CIT 380: Securing Computer Systems

best practices
Best Practices
  • Risk Analysis is difficult and uncertain.
  • Follow best practices or due care
    • Firewall require as insurance co. due care.
    • Update patches, anti-virus.
    • Organizations differ in what they need.
  • Combine best practices + risk analysis.

CIT 380: Securing Computer Systems

convincing management
Convincing Management
  • Security is not free.
  • MBA’s understand cost and benefits
  • MBA’s mistrust technology

CIT 380: Securing Computer Systems

policy
Policy
  • Policy helps to define what you consider to be valuable, and it specifies which steps should be taken to safeguard those assets.

CIT 380: Securing Computer Systems

three policy roles
Three Policy Roles
  • What is being protected
  • Who is responsible
  • Provides ground on which to interpret and resolve later conflicts.

CIT 380: Securing Computer Systems

role of policy
Role of Policy
  • Should be general and change little over time.
  • How does the NKU Acceptable Use Policy for Technology Resources meet these roles?

CIT 380: Securing Computer Systems

security policy
Security Policy

Security policy partitions system states into:

  • Authorized (secure)
    • These are states the system is allowed to enter.
  • Unauthorized (nonsecure)
    • If the system enters any of these states, it’s a security violation.

Secure system

  • Starts in authorized state.
  • Never enters unauthorized state.

CIT 380: Securing Computer Systems

policy vs mechanism
Policy vs. Mechanism

Security Policy

  • Statement that divides system into authorized and unauthorized states.

Mechanism

  • Entity or procedure that enforces some part of a security policy.

CIT 380: Securing Computer Systems

developing a workable policy
Developing a Workable Policy
  • Assign an owner
  • Be positive
    • People respond better to do than don’t.
  • Remember that employees are people too
    • They will make mistakes
    • They value privacy
  • Concentrate on education
  • Standards for training and retraining

CIT 380: Securing Computer Systems

standards
Standards
  • Codify successful security practices
  • Standards for backups (p. 46-7)
  • Platform independent
  • Metric to determine if met

CIT 380: Securing Computer Systems

guidelines
Guidelines
  • Interpret standards for a particular environment.
  • Unix backups (p. 47)

CIT 380: Securing Computer Systems

regulations
Regulations
  • HIPAA
    • Medical Privacy - National Standards to Protect the Privacy of Personal Health Information
  • Sarbanes Oxley
    • Protecting of financial and accounting information
  • Federal Information Security Management Act (FISMA)
    • IT controls and auditing

CIT 380: Securing Computer Systems

developing a workable policy32
Developing a Workable Policy
  • Have authority commensurate with responsibility
  • Spaf’s first principle of security administration:
    • If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.

CIT 380: Securing Computer Systems

developing a workable policy33
Developing a Workable Policy
  • Be sure to know you security perimeter
    • Laptops and PDAs
    • Wireless networks
    • Computer used at home
    • Portable media
      • Flash drives, CDs, DVDs

CIT 380: Securing Computer Systems

security perimeter
Security Perimeter
  • Perimeter defines what is within your control.
  • Historically
    • Within walls of building or fences of campus.
    • Within router that connects to ISP.
  • Modern perimeters are more complex
    • Laptops, PDAs.
    • USB keys, CDs, DVDs, portable HDs.
    • Wireless networks.
    • Home PCs that connect to your network.

CIT 380: Securing Computer Systems

defense in depth
Defense in Depth
  • Firewall/IDS protect perimeter.
  • Perimeter security is not sufficient.
    • What if someone brings infected laptop to work?
    • What if home user bridges your net to Internet?
  • Defense in Depth
    • Multiple, independent layers of protection.
    • Network firewall + personal firewall + IDS

CIT 380: Securing Computer Systems

four easy steps to a more secure computer
Four Easy Steps to a More Secure Computer
  • Decide how important security is for your site.
  • Involve and educate your user community.
  • Devise a plan for making and storing backups of your system data.
  • Stay inquisitive and suspicious.

CIT 380: Securing Computer Systems

compliance audit
Compliance Audit
  • Formulating policy is not enough by itself. It is important to determine regularly if the policy is being applied correctly, and if the policy is correct and sufficient.

CIT 380: Securing Computer Systems

compliance audits
Compliance Audits
  • Audit your systems and personnel regularly.
  • Audit failures may result from
    • Personnel shortcomings
      • Insufficient education or overwork
    • Material shortcomings
      • Insufficient resources or maintenance
    • Organizational shortcomings
      • Lack of authority, conflicting responsibilities
    • Policy shortcomings
      • Unforeseen risks, missing or conflicting policies

CIT 380: Securing Computer Systems

providing security
Providing Security
  • In-house staff
  • Full-time or part-time consultants
    • Choosing a vendor
      • “Reformed hacker”

CIT 380: Securing Computer Systems

security concepts
Security Concepts
  • Security Through Obscurity
  • Responsible disclosure

CIT 380: Securing Computer Systems

key points
Key Points
  • Policy divides system into
    • Authorized (secure) states.
    • Unauthorized (insecure) states.
  • Policy vs Mechanism
    • Policy: describes what security is.
    • Mechanism: how security policy is enforced.
  • Written policy and enforced policy will differ.
    • Compliance audits look for those differences.
  • Security Perimeter
    • Describes what is within your control.
    • Defense in depth: defend perimeter and inside.

CIT 380: Securing Computer Systems

references
References
  • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.
  • Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3/e O’Reilly, 2003.
  • NKU, Acceptable Use Policy, http://it.nku.edu/itsecurity/docs/acceptableusepolicy.pdf, 2009.
  • SANS, SANS Security Policy Project, http://www.sans.org/resources/policies/

CIT 380: Securing Computer Systems