Computer Security Workshops - PowerPoint PPT Presentation

slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Computer Security Workshops PowerPoint Presentation
Download Presentation
Computer Security Workshops

play fullscreen
1 / 16
Download Presentation
Computer Security Workshops
Download Presentation

Computer Security Workshops

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

    1. Computer Security Workshops Security 101 - Introduction, Central Principles and Concepts

    2. Why Study Computer Security? Increasingly important issue for: Computer system and network administrators Application programmers Security issues follow technology Desktop systems, wireless networks, handheld devices Security issues affect software, laws, profits and businesses

    3. Computer Security Definition ensuring the security of resources in a computing environment ensuring work to make it so a process resources data, network, hardware, applications, computing environment mix of hardware, software and people

    4. Information Assurance A broader category than computer security, information security, etc. Concerned with the Security of information in system Quality/Reliability of information in system

    5. Core Security Concepts Vulnerability, Exploit, Threat Vulnerability a weakness in some aspect of a system Exploit a known method for taking advantage of a vulnerability Threat the likelihood of some agent using an exploit to compromise security Note: not all users/groups are equal threats to various systems Hackers more of a threat to popular web sites, businesses Disgruntled employees more of a threat to isolated businesses

    6. Interesting Security Email Lists Cryptogram Newsletter, Bruce Schneier; Library, Crypto-gram US/CERT Advisory List (Dept. of Homeland Security) ; Advisories by Email Bugtraq List , subscription information about 2/3 down the page

    7. Principles To Consider Security is a very difficult topic to comprehend No silver bullets However, consideration of major principles will help develop a good set of security processes and policies

    8. 1st Principle Security is a process, not a product attributed to Bruce Schneier of Counterpane Security Systems, others Not something you purchase Rather, a set of processes (approved set of steps) and policies (rules for behavior) you create and enforce in your environment Must be dealt with continually

    9. 2nd Principle Computer Security is not just about computer systems Three major aspects to computer security Technology Hardware (systems, networks, any connected equipment) Software (programming, configuration) People, in many different roles Legitimate users, disgruntled users, hackers Insiders vs. outsiders fuzzy line! Social engineering is a large concern Best technological security is worthless is someone is tricked into turning it off / allowing access through it Physical environment Surroundings, access, proximity

    10. 3rd Principle Security and convenience are inversely proportional Lack of security generally makes it easier to get work done Addition of security may interfere with the ease of getting a job done Goal: find the balance point that supports both

    11. 4th Principle Security succeeds or fails based on the weakest link All aspects (technology, people, environment) must be attended to equally Must remain current with each aspect E.g. software patches should be applied as they come out, not when you get around to it Corollary: People are the weakest link Kevin Mitnick

    12. 5th Principle Hackers are generally technologists (as opposed to programmers) Smaller group of hackers program exploits, viruses More hackers apply technology already available, sometimes in creative ways Poor configuration of systems is a major security problem Corollary good programming skills arent sufficient to make a good security professional Add understanding of networks & technology, attention to detail, creativity,

    13. 6th Principle Utilize Multiple Layers of Defense E.g. Network hardware Router initial line of defense Bastion host(s) system(s) visible/available to outside world (e.g. web server) Firewall second line of defense Secure intranet internally available systems Can anyone bypass one or more layers?

    14. 7th Principle Focus your security energy on dealing with the most likely threats Consider what is most relevant to your environment Which vulnerabilities do you have? Which of these have known exploits? What users are likely to cause problems? What is the likelihood of a given threat?

    15. 8th Principle One aspect of security is obscurity Dont set yourself up as a target Maintain a low network profile for your business, computer system, etc. Problem: contradicts marketing principles if youre a business Examples Windows is attacked more than MacOS/OS X Those who claim their systems cant be hacked will have lots of people trying

    16. Putting It Together Computer Security is balancing of a number of interrelated factors Considering Security Goals Developing Layered Protection (Vertically,Horizontally) Utilizing Available Resources Developing and Enforcing Policies and Processes Minimizing Interference With Functionality Weighing of Risks Maintaining Constant Vigilance