1 / 16

Computer Security Workshops

Why Study Computer Security?. Increasingly important issue for:Computer system and network administratorsApplication programmersSecurity issues follow technologyDesktop systems, wireless networks, handheld devicesSecurity issues affect software, laws, profits and businesses. Computer Security. Definition

issac
Download Presentation

Computer Security Workshops

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Computer Security Workshops Security 101 - Introduction, Central Principles and Concepts

    2. Why Study Computer Security? Increasingly important issue for: Computer system and network administrators Application programmers Security issues follow technology Desktop systems, wireless networks, handheld devices Security issues affect software, laws, profits and businesses

    3. Computer Security Definition – ensuring the security of resources in a computing environment “ensuring” – work to make it so – a process “resources” – data, network, hardware, applications, … “computing environment” – mix of hardware, software and people

    4. Information Assurance A broader category than computer security, information security, etc. Concerned with the Security of information in system Quality/Reliability of information in system

    5. Core Security Concepts Vulnerability, Exploit, Threat Vulnerability – a weakness in some aspect of a system Exploit – a known method for taking advantage of a vulnerability Threat – the likelihood of some agent using an exploit to compromise security Note: not all users/groups are equal threats to various systems “Hackers” more of a threat to popular web sites, businesses Disgruntled employees more of a threat to isolated businesses

    6. Interesting Security Email Lists Cryptogram Newsletter, Bruce Schneier http://www.counterpane.com; Library, Crypto-gram US/CERT Advisory List (Dept. of Homeland Security) http://www.us-cert.gov ; Advisories by Email Bugtraq List http://seclists.org/about/bugtraq.txt , subscription information about 2/3 down the page

    7. Principles To Consider Security is a very difficult topic to comprehend No silver bullets However, consideration of major principles will help develop a good set of security processes and policies

    8. 1st Principle “Security is a process, not a product” – attributed to Bruce Schneier of Counterpane Security Systems, others Not something you purchase Rather, a set of processes (approved set of steps) and policies (rules for behavior) you create and enforce in your environment Must be dealt with continually

    9. 2nd Principle Computer Security is not just about computer systems Three major aspects to computer security Technology Hardware (systems, networks, any connected equipment) Software (programming, configuration) People, in many different roles Legitimate users, disgruntled users, hackers Insiders vs. outsiders – fuzzy line! Social engineering is a large concern Best technological security is worthless is someone is tricked into turning it off / allowing access through it Physical environment Surroundings, access, proximity

    10. 3rd Principle Security and convenience are inversely proportional Lack of security generally makes it easier to get work done Addition of security may interfere with the ease of getting a job done Goal: find the balance point that supports both

    11. 4th Principle Security succeeds or fails based on the weakest link All aspects (technology, people, environment) must be attended to equally Must remain current with each aspect E.g. software patches should be applied as they come out, not when you “get around to it” Corollary: “People are the weakest link” – Kevin Mitnick

    12. 5th Principle Hackers are generally technologists (as opposed to programmers) Smaller group of hackers program exploits, viruses More hackers apply technology already available, sometimes in creative ways Poor configuration of systems is a major security problem Corollary – good programming skills aren’t sufficient to make a good security professional Add understanding of networks & technology, attention to detail, creativity, …

    13. 6th Principle Utilize Multiple Layers of Defense E.g. Network hardware Router – initial line of defense Bastion host(s) – system(s) visible/available to outside world (e.g. web server) Firewall – second line of defense Secure intranet – internally available systems Can anyone bypass one or more layers?

    14. 7th Principle Focus your security energy on dealing with the most likely threats Consider what is most relevant to your environment Which vulnerabilities do you have? Which of these have known exploits? What users are likely to cause problems? What is the likelihood of a given threat?

    15. 8th Principle One aspect of security is obscurity Don’t set yourself up as a target Maintain a low network profile for your business, computer system, etc. Problem: contradicts marketing principles if you’re a business Examples Windows is attacked more than MacOS/OS X Those who claim their systems can’t be hacked will have lots of people trying…

    16. Putting It Together Computer Security is balancing of a number of interrelated factors Considering Security Goals Developing Layered Protection (Vertically,Horizontally) Utilizing Available Resources Developing and Enforcing Policies and Processes Minimizing Interference With Functionality Weighing of Risks Maintaining Constant Vigilance

More Related