Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security

Author: Andy Reed ftp://topsurf.co.uk/reed

FdSc IT/Computer Networking & IT(e-commerce)

Communications Network ManagementAn Introduction to Security


Data Security

Computer security is the protection of a company’s assets by ensuring the safe, uninterrupted operation of the system and the safeguarding of its computer, programs and data files.

Pro. H J Highland. State University of New York


Areas for Discussion (Term 1)

• System Security• Network Security• Data Security• Authentication• Malware• Security Controls• Implementation levels• Legal Issues


Is there a real need for security?

The Internet and the networked system has become the focal point for a variety of criminal and/or malicious activity, such as:

• Malware i.e. Viruses, Worms, Trojan Horses

• Fraud, Theft, Malicious Damage• Masquerading, Spoofing• Espionage, Terrorism• Obscenities, Profanities


Corporate security: what is needed?

For many organisations there will be a number of security concerns, each of these with there own specific security requirements:

• Schools, Colleges and Universities• Financial establishments• Government offices• Hospitals• E-commerce• Military installations


Common Threats

• Students records (Add, delete or improve exam grades)

• Confidential or personal information• Payroll, accounts department• Accidental damage of data• Fire• Flood• Theft


Common Threats

• Medical records• Historical records• Sensitive military information• Payment transactions• Banking account information• Physical assets• Personnel


Data Security

Security concerns and requirements can be measured in a number of different ways.

• Data Availability• Personal accountability• Data integrity• Data or personal confidentiality


Confidentiality

• Prevention of unauthorised information disclosure.

• Data access must be restricted to only authorised Personnel who hold a valid ‘Need to know’.

• The seriousness of the disclosure is often dictated by whether it occurs to an unauthorised member of the same organisation or a total outsider.


Integrity

• This could refer to either the organisation, the system, the data or all.

• The user must have confidence that:• The same information can be retrieved as

was originally entered.• Internal processes work as expected or

claimed. • May be compromised as a result of accidental

error or malicious activity.


Availability

• Systems or data should be accessible and fit for purpose on demand by an authorised entity.

• Availability encompasses:• The prevention of unauthorised withholding of

information or resources.• Safeguards against system failure.

• The seriousness of denial of service generally increases proportionally to the period of unavailability


Accountability

• The property that ensures that the actions of an entity may be traced uniquely to that entity.

• This may be encompassed by monitoring:• System behaviour• Staff activity

What connotations can employee monitoring schemes have?


Terminology

• Asset• Threat• Vulnerability• Physical• Procedural or personnel policy. Logical /

system / technical


Terminology (cont)

• Risk• Countermeasure• Impact• Baseline security


Asset

An asset is generally considered as an entity of value, such as:

• Data• Financial: Stocks, shares or bonds• Physical• Personnel


Threat

A threat is an unwanted deliberate, malicious or accidental act that may result in damage, depletion or harm to an asset:

• virus• Flood• Theft• Fire


Vulnerability

A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security.

• Weak password authentication• Out of data antivirus• External penetration• Un-secure channels


Physical Security

The risk to or risk from a physical entity. This could be to either data, hardware/software or personnel. measures that must be taken to prevent theft, vandalism, and other types of harm to the technology equipment

• Personal safety • Lock, doors and secure rooms• ID tags• Infrared tag


Procedural Policy

Procedural measures taken to prevent a disaster, such as safety inspections, fire drills, security awareness programs, timing of planned security actions.

• Enforce user policies (no post-its)• Plan for disaster recovery• Maintenance schemes for hardware and

software


Risk

The probability that a particular threat will accidentally trigger or intentionally exploit a particular information system vulnerability and the resulting impact if this should occur.

Probability:

P = probability

A = event

P(A) = The Number Of Ways Event A Can Occur

The Total Number Of Possible Outcomes


Risk Assessment Cycle

www.microsoft.con Security Risk Management


Risk Assessment

Risk assessment is an ongoing event throughout the organisations lifetime. Some steps in the risk assessment cycle are:

• Identify potential risks that could harm or hinder operational procedure, data or personnel

• Estimate the probability of such events occurring


Risk Assessment

• Estimating the most critical and sensitive assets and the potential financial loss, including recovery costs.

• Identify the most cost affective approach to implementing security procedures

• Develop an action plan for security proposals


Risk Assessment

• Implement security procedures• Monitor the programme for effectiveness• Identify potential risks that could harm or hinder

operational procedure, data or personnel• Continue the cycle


Countermeasure

An action or restraint on the system designed to enhance security by reducing the risk of an attack, by reducing either the threat or the vulnerability.

• Password time outs• Intrusion detection systems• Enhancing security requirements to meet the

threat• P:P:P:P:P:P:P


Impact

The resultant after effects of a successful security breach via a threat or vulnerability. The impact will almost certainly generate unwanted outcomes or consequences.


Consequences

• Financial Loss• Embarrassment• Breach of Commercial Confidentiality• Breach of Personal Privacy• Legal Liability• Disruption to Activities• Threat to Personal safety


Legal Issues

It is important to have an understanding of legal issues relating to security. Setting stringent security policies without a basic understanding of the legal implications could prove costly.

• ICT and the Law covered in later lectures, but for now:


Table of UK Statutes

• Computer Misuse Act 1990• Contracts (Rights of Third Parties) Act 1999• Copyright, Designs and Patents Act 1988• Criminal Justice and Public Order Act 1994• Data protection Act 1998• Defamation Act 1996• Electronics Communications Act 2000• Obscene Publications Act 1964


Table of UK Statutes (cont)

• Protection of Children Act 1978• Sale of Goods Act 1979• Supply of Goods and Services Act 1982• Telecommunications Act 1994• Trade Descriptions Act 1968• Trade Marks Act 1994• Unfair Contract Terms Act 1977


Conclusion

• 100% security is not an achievable objective.• Threats are real and present, addresses them.• Security costs money, lack of security costs

more• Understand the legal standing of the

organisation.• Determine the appropriate level of security for

the assets held.


Conclusions

• Risk assessment should be a cyclic progression• 99.999% security is said to be considered

desirable• Organisations have a legal obligation to protect

third party assets, data or employee confidentiality.

• Useful to understand how the Law fits in to the domain of ICT data security

Documents

Author: Andy Reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security