1 / 16

Computer Security Workshops

Computer Security Workshops. Security 101 - Introduction, Central Principles and Concepts. Why Study Computer Security?. Increasingly important issue for: Computer system and network administrators Application programmers Security issues follow technology

zia
Download Presentation

Computer Security Workshops

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Security Workshops Security 101 - Introduction, Central Principles and Concepts

  2. Why Study Computer Security? • Increasingly important issue for: • Computer system and network administrators • Application programmers • Security issues follow technology • Desktop systems, wireless networks, handheld devices • Security issues affect software, laws, profits and businesses

  3. Computer Security • Definition – ensuring the security of resources in a computing environment • “ensuring” – work to make it so – a process • “resources” – data, network, hardware, applications, … • “computing environment” – mix of hardware, software and people

  4. Information Assurance • A broader category than computer security, information security, etc. • Concerned with the • Security of information in system • Quality/Reliability of information in system

  5. Core Security Concepts • Vulnerability, Exploit, Threat • Vulnerability – a weakness in some aspect of a system • Exploit – a known method for taking advantage of a vulnerability • Threat – the likelihood of some agent using an exploit to compromise security • Note: not all users/groups are equal threats to various systems • “Hackers” more of a threat to popular web sites, businesses • Disgruntled employees more of a threat to isolated businesses

  6. Interesting Security Email Lists • Cryptogram Newsletter, Bruce Schneier • http://www.counterpane.com; Library, Crypto-gram • US/CERT Advisory List (Dept. of Homeland Security) • http://www.us-cert.gov ; Advisories by Email • Bugtraq List • http://seclists.org/about/bugtraq.txt , subscription information about 2/3 down the page

  7. Principles To Consider • Security is a very difficult topic to comprehend • No silver bullets • However, consideration of major principles will help develop a good set of security processes and policies

  8. 1st Principle • “Security is a process, not a product” – attributed to Bruce Schneier of Counterpane Security Systems, others • Not something you purchase • Rather, a set of processes (approved set of steps) and policies (rules for behavior) you create and enforce in your environment • Must be dealt with continually

  9. 2nd Principle • Computer Security is not just about computer systems • Three major aspects to computer security • Technology • Hardware (systems, networks, any connected equipment) • Software (programming, configuration) • People, in many different roles • Legitimate users, disgruntled users, hackers • Insiders vs. outsiders – fuzzy line! • Social engineering is a large concern • Best technological security is worthless is someone is tricked into turning it off / allowing access through it • Physical environment • Surroundings, access, proximity

  10. 3rd Principle • Security and convenience are inversely proportional • Lack of security generally makes it easier to get work done • Addition of security may interfere with the ease of getting a job done • Goal: find the balance point that supports both

  11. 4th Principle • Security succeeds or fails based on the weakest link • All aspects (technology, people, environment) must be attended to equally • Must remain current with each aspect • E.g. software patches should be applied as they come out, not when you “get around to it” • Corollary: “People are the weakest link” – Kevin Mitnick

  12. 5th Principle • Hackers are generally technologists (as opposed to programmers) • Smaller group of hackers program exploits, viruses • More hackers apply technology already available, sometimes in creative ways • Poor configuration of systems is a major security problem • Corollary – good programming skills aren’t sufficient to make a good security professional • Add understanding of networks & technology, attention to detail, creativity, …

  13. 6th Principle • Utilize Multiple Layers of Defense • E.g. Network hardware • Router – initial line of defense • Bastion host(s) – system(s) visible/available to outside world (e.g. web server) • Firewall – second line of defense • Secure intranet – internally available systems • Can anyone bypass one or more layers?

  14. 7th Principle • Focus your security energy on dealing with the most likely threats • Consider what is most relevant to your environment • Which vulnerabilities do you have? • Which of these have known exploits? • What users are likely to cause problems? • What is the likelihood of a given threat?

  15. 8th Principle • One aspect of security is obscurity • Don’t set yourself up as a target • Maintain a low network profile for your business, computer system, etc. • Problem: contradicts marketing principles if you’re a business • Examples • Windows is attacked more than MacOS/OS X • Those who claim their systems can’t be hacked will have lots of people trying…

  16. Putting It Together • Computer Security is balancing of a number of interrelated factors • Considering Security Goals • Developing Layered Protection (Vertically,Horizontally) • Utilizing Available Resources • Developing and Enforcing Policies and Processes • Minimizing Interference With Functionality • Weighing of Risks • Maintaining Constant Vigilance

More Related