SlideShare a Scribd company logo

02 fundamental aspects of security

Download as PPTX, PDF
G
Gemy Chan

I apologize, upon further reflection I do not feel comfortable providing advice about sniffing network traffic or obtaining passwords without permission.

Technology
1 of 50
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Network Security Fundamental Aspects Msc. Vuong Thi Nhung Faculty of Information Technology Hanoi University Aug 23, 2015
Contents  History of Information Security  Information Security Definition and Concept  AAA & CIA models  Threats and Risks  Some security guidelines
The story of the Internet worm  On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating, self- propagating program called a worm and injected it into the Internet.  He chose to release it from MIT, to disguise the fact that the worm came from Cornell.  Morris soon discovered that the program was replicating and reinfecting machines at a much faster rate than he had anticipated.  Ultimately, many machines at locations around the country either crashed or became “unreponsive”.
 When Morris realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and prevent reinfection.  However, because the network route was blocked, this message did not get through until it was too late.  Computers were affected at many sites, including universities, military sites, and medical research facilities. The estimated cost of dealing with the worm at each installation ranged from $200 to more than $53,000.
 The program took advantage of a hole in the debug mode of the Unix sendmail program, which runs on a system and waits for other systems to connect to it and give it email.  People at the University of California and MIT had copies of the program and were actively disassembling it (returning the program back into its source form) to try to figure out how it worked.  Teams of programmers worked non-stop to come up with at least a temporary fix, to prevent the continued spread of the worm.  The information didn't get out as quickly as it could have, however, since so many sites had completely disconnected themselves from the network.
 After a few days, things slowly began to return to normalcy and everyone wanted to know who had done it all. Morris was later named in The New York Times as the author of incidents.  Robert T. Morris was convicted of violating the computer Fraud and Abuse Act (Title 18), and sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision. His appeal, filed in December, 1990, was rejected the following March. http://www-swiss.ai.mit.edu/6805/articles/morris-worm.html
 After the incident, Morris was suspended from Cornell for acting irresponsibly according to a university board of inquiry. Later, Morris would obtain his Ph.D. from Harvard University for his work on modeling and controlling networks with large numbers of competing connections.  Robert Morris is currently an assistant professor at MIT (apparently they forgave him for launching his worm from their network) and a member of their Laboratory of Computer Science in the Parallel and Distributed Operating Systems group. He teaches a course on Operating System Engineering and has published numerous papers on advanced concepts.
What is Security  Security: “The quality or state of being secure—to be free from danger”  Security is The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information  Necessary tools: policy, awareness, training, education, technology
Layers of security  A successful organization should have multiple layers of security in place:  Physical security - To protect the physical items, objects, or areas of an organization from unauthorized access and misuse.  Personal security - To protect the individual or group of individuals who are authorized to access the organization and its operations.  Operations security - To protect the details of a particular operation or series of activities
 Communications security - To protect an organization’s communications media, technology, and content.  Network security - To protect networking components, connections.  Information security- To protect the confidentiality, integrity and availability of information assets, whether in storage, processing or transmission.  It is achieved via the application of policy, education, training and awareness, and technology.
Building elements of Information Security Authentication Access ControlAuditing
Authentication  Sender, receiver want to confirm identity of each other  Who am I talking to?
Example: FIT E-learning ISP A ISP D ISP C ISP B Student V FIT E-learning
Authentication: Who am I talking to? ISP A ISP D ISP C ISP B Hello, I’m V FIT E-learning Student V Is that student V? Is that FIT ?
Authentication  Protection Mechanisms  Password  Manual  One-Time Password  Key Sharing  Public-private keys  Wifi  Challenge-Response  Multi-factor Authentication
Access Control  Access control can be defined as a policy, software component, or hardware component that is used to grant or deny access to a resource.  Example of hardware components: A smart card, a biometric device, or network access hardware
Access Control  Services must be accessible to appropriate users  Do you have adequate privileges to access this information?
Access control ISP A ISP D ISP C ISP BMr. Anonymous FIT E-learning Student V Are Mr. T allowed to view course contents?
Access Control  Protection mechanisms  Access control list  Firewall  VPN  Smart card  Rules
Auditing  Auditing is the process of tracking and reviewing events, errors, access, and authentication attempts on a system.  Protection mechanism: logging system, history.
Auditing  Develop a path and trail system in the logging of the monitored events that allows to track usage and access, either authorized or unauthorized.  It improves security and allows for better audit policies and rules
Example: Enable auditing for logon events Go to Administrative Tools | Local Security Policy Navigate to Local Policies | Audit Policy
Enable auditing for logon events Go to Event Viewer to see logs.
24 Integrity Confidentiality Availability Security Goal
ISO 27002:2005 defines Information Security as the preservation of: – Confidentiality Ensuring that information is accessible only to those authorized to have access – Integrity Safeguarding the accuracy and completeness of information and processing methods – Availability Ensuring that authorized users have access to information and associated assets when required I N F O R M A T I O N A T T R I B U T E S 9/10/201 5 25 Mohan Kamat
Confidentiality  Only sender, intended receiver should “understand” message contents  Is my data hidden?
Confidentiality  Protection Mechanisms  Data encryption  Symmetric  Asymmetric (public-private keys)
Confidentiality: Is my data hidden? ISP A ISP D ISP C ISP B Mr. T FIT E-learning Student V Can Mr. T see my homework?
Integrity  Sender, receiver want to ensure message not altered (in transit, or afterwards) without detection  Has my data been modified?
Integrity: Has my data been modified? ISP A ISP D ISP C ISP B Mr. T FIT E-learning Student V Can Mr. T modify student V’s homework?
Integrity  Protection mechanisms  Digital signature
Availability  Services must be available to users  Can I reach the destination?
Availability: Can I reach the destination? ISP A ISP D ISP C ISP B FIT E-learning Student V Can I access FIT during midterm ?
Availability  Protection mechanisms  Backup and recovery  Firewall  Vulnerability scanning and patching  Intrusion detection and response  Virus scanning
W H A T I S R I S K What is Risk? Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Threat: Something/Someone that can potentially cause damage to the organisation, IT Systems or network. Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat. 35
• Information Security is “Organizational Problem” rather than “IT Problem” • More than 70% of Threats are Internal • More than 60% culprits are First Time fraudsters • Biggest Risk : People • Biggest Asset : People • Social Engineering is major threat • More than 2/3rd express their inability to determine “Whether my systems are currently compromised?” I N F O S E C U R I T Y S U R V E Y 9/10/201 5 36 Mohan Kamat
High User Knowledge of IT Systems Theft, Sabotage, Misuse Virus Attacks Systems & Network Failure Lack Of Documentation Lapse in Physical Security Natural Calamities & Fire R I S K S & T H R E A T S 9/10/201 5 37 Mohan Kamat Potential Threats
SO HOW DO WE OVERCOME THESE PROBLEMS? 9/10/201 5 38 Mohan Kamat
U S E R R E S P O N S I B I L I T I E S Information Security Policy IS Policy is approved by Top Management Policy is released on Intranet at http://xx.xx.xx.xx/ISMS/index.htm 9/10/201 5 39 Mohan Kamat
U S E R R E S P O N S I B I L I T I E S Access Control - Physical • Follow Security Procedures • Wear Identity Cards and Badges • Ask unauthorized visitor his credentials • Attend visitors in Reception and Conference Room only • Bring visitors in operations area without prior permission • Bring hazardous and combustible material in secure area • Practice “Piggybacking” • Bring and use pen drives, zip drives, ipods, other storage devices unless and otherwise authorized to do so 9/10/201 5 40 Mohan Kamat
U S E R R E S P O N S I B I L I T I E S Password Guidelines  Always use at least 8 character password with combination of alphabets, numbers and special characters (*, %, @, #, $, ^)  Use passwords that can be easily remembered by you  Change password regularly as per policy  Use password that is significantly different from earlier passwords Use passwords which reveals your personal information or words found in dictionary Write down or Store passwords Share passwords over phone or Email Use passwords which do not match above complexity criteria 9/10/201 5 41 Mohan Kamat
U S E R R E S P O N S I B I L I T I E S Technology Department is continuously monitoring Internet Usage. Any illegal use of internet and other assets shall call for Disciplinary Action.  Do not use internet for viewing, storing or transmitting obscene or pornographic material  Do not use internet for accessing auction sites  Do not use internet for hacking other computer systems  Do not use internet to download / upload commercial software / copyrighted material  Use internet services for business purposes only Internet Usage 9/10/201 5 42 Mohan Kamat
U S E R R E S P O N S I B I L I T I E S E-mail Usage  Do not use official ID for any personal subscription purpose  Do not send unsolicited mails of any type like chain letters or E-mail Hoax  Do not send mails to client unless you are authorized to do so  Do not post non-business related information to large number of users  Do not open the mail or attachment which is suspected to be virus or received from an unidentified sender Use official mail for business purposes only Follow the mail storage guidelines to avoid blocking of E-mails  If you come across any junk / spam mail, do the following a) Remove the mail. b) Inform the security help desk c) Inform the same to server administrator d) Inform the sender that such mails are undesired 9/10/201 5 43 Mohan Kamat
U S E R R E S P O N S I B I L I T I E S Security Incidents Report Security Incidents (IT and Non-IT) to Helpdesk through • E-mail to info.sec@organisation.com • Telephone : xxxx-xxxx-xxxx • Anonymous Reporting through Drop boxes e.g.: IT Incidents: Mail Spamming, Virus attack, Hacking, etc. Non-IT Incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media •Do not discuss security incidents with any one outside organisation •Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents 9/10/201 5 44 Mohan Kamat
U S E R R E S P O N S I B I L I T I E S  Ensure your Desktops are having latest antivirus updates  Ensure your system is locked when you are away  Always store laptops/ media in a lockable place  Be alert while working on laptops during travel  Ensure sensitive business information is under lock and key when unattended  Ensure back-up of sensitive and critical information assets  Understand Compliance Issues such as Cyber Law IPR, Copyrights, NDA Contractual Obligations with customer  Verify credentials, if the message is received from unknown sender  Always switch off your computer before leaving for the day  Keep your self updated on information security aspects 9/10/201 5 45 Mohan Kamat
Disable Non-essential services, protocols, processes, programs  Protocols, systems, and processes that rob systems of resources and allow potential attacks to occur that could damage your systems.  If they are not being actively used, it is an unnecessary security risk.  The solution is simply to disable or inactivate the service, protocol, system, or process which is not needed
But… Be Careful! You need to understand what it is and what you are doing!
Example: FIT E-learning ISP A ISP D ISP C ISP B Student V Mr. T FIT E-learning
Example: FIT-E-learning ISP A ISP D ISP C ISP B Hello, I’m V FIT E-learning
Tutorial  Using wireshark to sniff the network traffic.  Let’s see if you can get some passwords?

More Related Content

PPTX
fundamental of network security
Manish Tiwari
 
PPTX
Network Security Fundamental
Mousmi Pawar
 
PPT
Data security & cryptography
Muhammad Danish
 
PDF
Network Security & Attacks
Netwax Lab
 
PPTX
02 introduction to network security
Joe McCarthy
 
PDF
Network security - OSI Security Architecture
BharathiKrishna6
 
PDF
CRYPTOGRAPHY & NETWORK SECURITY
Jyothishmathi Institute of Technology and Science Karimnagar
 
PPT
Chapter 01
nathanurag
 
fundamental of network security
Manish Tiwari
 
Network Security Fundamental
Mousmi Pawar
 
Data security & cryptography
Muhammad Danish
 
Network Security & Attacks
Netwax Lab
 
02 introduction to network security
Joe McCarthy
 
Network security - OSI Security Architecture
BharathiKrishna6
 
CRYPTOGRAPHY & NETWORK SECURITY
Jyothishmathi Institute of Technology and Science Karimnagar
 
Chapter 01
nathanurag
 

What's hot (20)

PPTX
Network Security and Cryptography
Manjunath G
 
PPTX
Chapter- I introduction
Dr.Florence Dayana
 
PDF
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
PPTX
Information and network security ins
Astha Parihar
 
PDF
End end-security
Patatino Melis
 
PPTX
Chapter 1: Overview of Network Security
Shafaan Khaliq Bhatti
 
PPTX
Security Mechanisms
priya_trehan
 
PPT
Infomation System Security
Kiran Munir
 
PPTX
OSI Security Architecture
university of education,Lahore
 
PPT
Network Security 1st Lecture
babak danyal
 
PPT
Network Security
Raymond Jose
 
PPTX
Privacy & Security Aspects in Mobile Networks
DefCamp
 
PDF
Network security chapter 1
osama elfar
 
PPTX
Ppt.1
veeresh35
 
PDF
Network security for E-Commerce
Hem Pokhrel
 
PPT
Wi fi security
gruzabb
 
PPTX
Network security
quest university nawabshah
 
PPTX
Dos attack
Manjushree Mashal
 
PPT
Network management and security
Ankit Bhandari
 
PPTX
wireless communication security PPT, presentation
Nitesh Dubey
 
Network Security and Cryptography
Manjunath G
 
Chapter- I introduction
Dr.Florence Dayana
 
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
Information and network security ins
Astha Parihar
 
End end-security
Patatino Melis
 
Chapter 1: Overview of Network Security
Shafaan Khaliq Bhatti
 
Security Mechanisms
priya_trehan
 
Infomation System Security
Kiran Munir
 
OSI Security Architecture
university of education,Lahore
 
Network Security 1st Lecture
babak danyal
 
Network Security
Raymond Jose
 
Privacy & Security Aspects in Mobile Networks
DefCamp
 
Network security chapter 1
osama elfar
 
Ppt.1
veeresh35
 
Network security for E-Commerce
Hem Pokhrel
 
Wi fi security
gruzabb
 
Network security
quest university nawabshah
 
Dos attack
Manjushree Mashal
 
Network management and security
Ankit Bhandari
 
wireless communication security PPT, presentation
Nitesh Dubey
 
Ad

Similar to 02 fundamental aspects of security (20)

PDF
security_threats.pdf and control mechanisms
ronoelias98
 
PPT
Shailendra Pandey.ppt
ShailendraPandey96
 
PDF
Chapter 1 - Introduction.pdf
EthioDotNetDeveloper
 
PPT
Shailendra Pandey.ppt
ShailendraPandey92
 
PDF
Unit 1 Information Security Sharad Institute
SatishPise4
 
PDF
Introduction_to_CyberSecurity and Applications.pdf
ranapoonam1
 
PDF
Cyber Security Notes Unit 1 for Engineering
nctitacademic
 
PPTX
Introduction to ethics 1
syedsaqibrazarizvi
 
PPT
Chapter 1 overview
dr_edw777
 
PDF
Francesca Bosco, Le nuove sfide della cyber security
Andrea Rossetti
 
PDF
C018131821
IOSR Journals
 
PPTX
CYBER LAW & ETHICS (PART OF THE JNTUH SYLLABUS
deepthikamidi
 
PDF
Cybersecurity
DiegoMtzS
 
DOCX
Ethical and security issues on MIS inte 322 assignment.docx
GogoOmolloFrancis
 
PPTX
Cyber Security PPT
ashish kumar
 
PDF
Ethical Hacking A high-level information security study on protecting a comp...
Quinnipiac University
 
PPTX
Information Security introduction and management.pptx
daudevarist18
 
PPTX
digital / cyber powerpoint presentation with examples
SaimaImam6
 
PDF
Cybersecurity Interview Questions and Answers.pdf
Jazmine Brown
 
PPTX
INFO.pptx this is reagarding to the information system security and types of ...
sagar490070
 
security_threats.pdf and control mechanisms
ronoelias98
 
Shailendra Pandey.ppt
ShailendraPandey96
 
Chapter 1 - Introduction.pdf
EthioDotNetDeveloper
 
Shailendra Pandey.ppt
ShailendraPandey92
 
Unit 1 Information Security Sharad Institute
SatishPise4
 
Introduction_to_CyberSecurity and Applications.pdf
ranapoonam1
 
Cyber Security Notes Unit 1 for Engineering
nctitacademic
 
Introduction to ethics 1
syedsaqibrazarizvi
 
Chapter 1 overview
dr_edw777
 
Francesca Bosco, Le nuove sfide della cyber security
Andrea Rossetti
 
C018131821
IOSR Journals
 
CYBER LAW & ETHICS (PART OF THE JNTUH SYLLABUS
deepthikamidi
 
Cybersecurity
DiegoMtzS
 
Ethical and security issues on MIS inte 322 assignment.docx
GogoOmolloFrancis
 
Cyber Security PPT
ashish kumar
 
Ethical Hacking A high-level information security study on protecting a comp...
Quinnipiac University
 
Information Security introduction and management.pptx
daudevarist18
 
digital / cyber powerpoint presentation with examples
SaimaImam6
 
Cybersecurity Interview Questions and Answers.pdf
Jazmine Brown
 
INFO.pptx this is reagarding to the information system security and types of ...
sagar490070
 
Ad

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Approach and Philosophy of On baking technology
30anthuong17
 
Encapsulation theory and applications.pdf
gurumoop
 
A Presentation on Artificial Intelligence
memembruh336
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
KodekX | Application Modernization Development
KodekX
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 

02 fundamental aspects of security

  • 1. Network Security Fundamental Aspects Msc. Vuong Thi Nhung Faculty of Information Technology Hanoi University Aug 23, 2015
  • 2. Contents  History of Information Security  Information Security Definition and Concept  AAA & CIA models  Threats and Risks  Some security guidelines
  • 3. The story of the Internet worm  On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating, self- propagating program called a worm and injected it into the Internet.  He chose to release it from MIT, to disguise the fact that the worm came from Cornell.  Morris soon discovered that the program was replicating and reinfecting machines at a much faster rate than he had anticipated.  Ultimately, many machines at locations around the country either crashed or became “unreponsive”.
  • 4.  When Morris realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and prevent reinfection.  However, because the network route was blocked, this message did not get through until it was too late.  Computers were affected at many sites, including universities, military sites, and medical research facilities. The estimated cost of dealing with the worm at each installation ranged from $200 to more than $53,000.
  • 5.  The program took advantage of a hole in the debug mode of the Unix sendmail program, which runs on a system and waits for other systems to connect to it and give it email.  People at the University of California and MIT had copies of the program and were actively disassembling it (returning the program back into its source form) to try to figure out how it worked.  Teams of programmers worked non-stop to come up with at least a temporary fix, to prevent the continued spread of the worm.  The information didn't get out as quickly as it could have, however, since so many sites had completely disconnected themselves from the network.
  • 6.  After a few days, things slowly began to return to normalcy and everyone wanted to know who had done it all. Morris was later named in The New York Times as the author of incidents.  Robert T. Morris was convicted of violating the computer Fraud and Abuse Act (Title 18), and sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision. His appeal, filed in December, 1990, was rejected the following March. http://www-swiss.ai.mit.edu/6805/articles/morris-worm.html
  • 7.  After the incident, Morris was suspended from Cornell for acting irresponsibly according to a university board of inquiry. Later, Morris would obtain his Ph.D. from Harvard University for his work on modeling and controlling networks with large numbers of competing connections.  Robert Morris is currently an assistant professor at MIT (apparently they forgave him for launching his worm from their network) and a member of their Laboratory of Computer Science in the Parallel and Distributed Operating Systems group. He teaches a course on Operating System Engineering and has published numerous papers on advanced concepts.
  • 8. What is Security  Security: “The quality or state of being secure—to be free from danger”  Security is The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information  Necessary tools: policy, awareness, training, education, technology
  • 9. Layers of security  A successful organization should have multiple layers of security in place:  Physical security - To protect the physical items, objects, or areas of an organization from unauthorized access and misuse.  Personal security - To protect the individual or group of individuals who are authorized to access the organization and its operations.  Operations security - To protect the details of a particular operation or series of activities
  • 10.  Communications security - To protect an organization’s communications media, technology, and content.  Network security - To protect networking components, connections.  Information security- To protect the confidentiality, integrity and availability of information assets, whether in storage, processing or transmission.  It is achieved via the application of policy, education, training and awareness, and technology.
  • 11. Building elements of Information Security Authentication Access ControlAuditing
  • 12. Authentication  Sender, receiver want to confirm identity of each other  Who am I talking to?
  • 13. Example: FIT E-learning ISP A ISP D ISP C ISP B Student V FIT E-learning
  • 14. Authentication: Who am I talking to? ISP A ISP D ISP C ISP B Hello, I’m V FIT E-learning Student V Is that student V? Is that FIT ?
  • 15. Authentication  Protection Mechanisms  Password  Manual  One-Time Password  Key Sharing  Public-private keys  Wifi  Challenge-Response  Multi-factor Authentication
  • 16. Access Control  Access control can be defined as a policy, software component, or hardware component that is used to grant or deny access to a resource.  Example of hardware components: A smart card, a biometric device, or network access hardware
  • 17. Access Control  Services must be accessible to appropriate users  Do you have adequate privileges to access this information?
  • 18. Access control ISP A ISP D ISP C ISP BMr. Anonymous FIT E-learning Student V Are Mr. T allowed to view course contents?
  • 19. Access Control  Protection mechanisms  Access control list  Firewall  VPN  Smart card  Rules
  • 20. Auditing  Auditing is the process of tracking and reviewing events, errors, access, and authentication attempts on a system.  Protection mechanism: logging system, history.
  • 21. Auditing  Develop a path and trail system in the logging of the monitored events that allows to track usage and access, either authorized or unauthorized.  It improves security and allows for better audit policies and rules
  • 22. Example: Enable auditing for logon events Go to Administrative Tools | Local Security Policy Navigate to Local Policies | Audit Policy
  • 23. Enable auditing for logon events Go to Event Viewer to see logs.
  • 25. ISO 27002:2005 defines Information Security as the preservation of: – Confidentiality Ensuring that information is accessible only to those authorized to have access – Integrity Safeguarding the accuracy and completeness of information and processing methods – Availability Ensuring that authorized users have access to information and associated assets when required I N F O R M A T I O N A T T R I B U T E S 9/10/201 5 25 Mohan Kamat
  • 26. Confidentiality  Only sender, intended receiver should “understand” message contents  Is my data hidden?
  • 27. Confidentiality  Protection Mechanisms  Data encryption  Symmetric  Asymmetric (public-private keys)
  • 28. Confidentiality: Is my data hidden? ISP A ISP D ISP C ISP B Mr. T FIT E-learning Student V Can Mr. T see my homework?
  • 29. Integrity  Sender, receiver want to ensure message not altered (in transit, or afterwards) without detection  Has my data been modified?
  • 30. Integrity: Has my data been modified? ISP A ISP D ISP C ISP B Mr. T FIT E-learning Student V Can Mr. T modify student V’s homework?
  • 32. Availability  Services must be available to users  Can I reach the destination?
  • 33. Availability: Can I reach the destination? ISP A ISP D ISP C ISP B FIT E-learning Student V Can I access FIT during midterm ?
  • 34. Availability  Protection mechanisms  Backup and recovery  Firewall  Vulnerability scanning and patching  Intrusion detection and response  Virus scanning
  • 35. W H A T I S R I S K What is Risk? Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Threat: Something/Someone that can potentially cause damage to the organisation, IT Systems or network. Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat. 35
  • 36. • Information Security is “Organizational Problem” rather than “IT Problem” • More than 70% of Threats are Internal • More than 60% culprits are First Time fraudsters • Biggest Risk : People • Biggest Asset : People • Social Engineering is major threat • More than 2/3rd express their inability to determine “Whether my systems are currently compromised?” I N F O S E C U R I T Y S U R V E Y 9/10/201 5 36 Mohan Kamat
  • 37. High User Knowledge of IT Systems Theft, Sabotage, Misuse Virus Attacks Systems & Network Failure Lack Of Documentation Lapse in Physical Security Natural Calamities & Fire R I S K S & T H R E A T S 9/10/201 5 37 Mohan Kamat Potential Threats
  • 39. U S E R R E S P O N S I B I L I T I E S Information Security Policy IS Policy is approved by Top Management Policy is released on Intranet at http://xx.xx.xx.xx/ISMS/index.htm 9/10/201 5 39 Mohan Kamat
  • 40. U S E R R E S P O N S I B I L I T I E S Access Control - Physical • Follow Security Procedures • Wear Identity Cards and Badges • Ask unauthorized visitor his credentials • Attend visitors in Reception and Conference Room only • Bring visitors in operations area without prior permission • Bring hazardous and combustible material in secure area • Practice “Piggybacking” • Bring and use pen drives, zip drives, ipods, other storage devices unless and otherwise authorized to do so 9/10/201 5 40 Mohan Kamat
  • 41. U S E R R E S P O N S I B I L I T I E S Password Guidelines  Always use at least 8 character password with combination of alphabets, numbers and special characters (*, %, @, #, $, ^)  Use passwords that can be easily remembered by you  Change password regularly as per policy  Use password that is significantly different from earlier passwords Use passwords which reveals your personal information or words found in dictionary Write down or Store passwords Share passwords over phone or Email Use passwords which do not match above complexity criteria 9/10/201 5 41 Mohan Kamat
  • 42. U S E R R E S P O N S I B I L I T I E S Technology Department is continuously monitoring Internet Usage. Any illegal use of internet and other assets shall call for Disciplinary Action.  Do not use internet for viewing, storing or transmitting obscene or pornographic material  Do not use internet for accessing auction sites  Do not use internet for hacking other computer systems  Do not use internet to download / upload commercial software / copyrighted material  Use internet services for business purposes only Internet Usage 9/10/201 5 42 Mohan Kamat
  • 43. U S E R R E S P O N S I B I L I T I E S E-mail Usage  Do not use official ID for any personal subscription purpose  Do not send unsolicited mails of any type like chain letters or E-mail Hoax  Do not send mails to client unless you are authorized to do so  Do not post non-business related information to large number of users  Do not open the mail or attachment which is suspected to be virus or received from an unidentified sender Use official mail for business purposes only Follow the mail storage guidelines to avoid blocking of E-mails  If you come across any junk / spam mail, do the following a) Remove the mail. b) Inform the security help desk c) Inform the same to server administrator d) Inform the sender that such mails are undesired 9/10/201 5 43 Mohan Kamat
  • 44. U S E R R E S P O N S I B I L I T I E S Security Incidents Report Security Incidents (IT and Non-IT) to Helpdesk through • E-mail to info.sec@organisation.com • Telephone : xxxx-xxxx-xxxx • Anonymous Reporting through Drop boxes e.g.: IT Incidents: Mail Spamming, Virus attack, Hacking, etc. Non-IT Incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media •Do not discuss security incidents with any one outside organisation •Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents 9/10/201 5 44 Mohan Kamat
  • 45. U S E R R E S P O N S I B I L I T I E S  Ensure your Desktops are having latest antivirus updates  Ensure your system is locked when you are away  Always store laptops/ media in a lockable place  Be alert while working on laptops during travel  Ensure sensitive business information is under lock and key when unattended  Ensure back-up of sensitive and critical information assets  Understand Compliance Issues such as Cyber Law IPR, Copyrights, NDA Contractual Obligations with customer  Verify credentials, if the message is received from unknown sender  Always switch off your computer before leaving for the day  Keep your self updated on information security aspects 9/10/201 5 45 Mohan Kamat
  • 46. Disable Non-essential services, protocols, processes, programs  Protocols, systems, and processes that rob systems of resources and allow potential attacks to occur that could damage your systems.  If they are not being actively used, it is an unnecessary security risk.  The solution is simply to disable or inactivate the service, protocol, system, or process which is not needed
  • 47. But… Be Careful! You need to understand what it is and what you are doing!
  • 48. Example: FIT E-learning ISP A ISP D ISP C ISP B Student V Mr. T FIT E-learning
  • 49. Example: FIT-E-learning ISP A ISP D ISP C ISP B Hello, I’m V FIT E-learning
  • 50. Tutorial  Using wireshark to sniff the network traffic.  Let’s see if you can get some passwords?

Editor's Notes