Cyber security security measure unit 1 ppt

CYBER SECURITY UNIT I INTRODUCTION TO CYBER SECURITY Introduction -Computer Security - Threats -Harm - Vulnerabilities - Controls - Authentication - Access Control and Cryptography - Web—User Side - Browser Attacks - Web Attacks Targeting Users - Obtaining User or Website Data - Email Attacks.

Learning Objectives Upon the conclusion of this module, the student will be able to: Identify common security services, including confidentiality, integrity, availability, authentication, authorization, and access control. Identify common security components. Describe common security control types (including preventive, deterrent, detective, and corrective). Describe the concept of “Defense-in-Depth”, or layered defense, covering security issues associated with hardware, software, and people. Explain the concept of trusted computing. Describe cyber defense tools, methods, and components. Describe important ethical issues to consider in computer security, including ethical issues associated with fixing or not fixing vulnerabilities and disclosing or not disclosing vulnerabilities.

Security Services Security can be defined as “the quality or state of being secure: such as freedom from danger” and provides an alternative definition as “something that secures: protection.” (Merriam-Webster) To this end, in order to protect our information assets (information and information systems), we can provide security services, such as confidentiality, integrity, availability, authentication, authorization, and access control , where warranted. The role of a security officer or system owner is to determine when, and where, these services should be applied to protect data. Not all of these services would be required for all data, as there is always the trade-off between security and usability.

Confidentiality Confidentiality is concerned with limiting access to data, ensuring that only authorized users have access. Examples of data that might need confidentiality would be user account data, or electronic medical records. Security components that provide for confidentiality include encryption technologies, firewalls, and other devices and components that control access to data.

Integrity Integrity is the assurance that information has not been modified by an unauthorized individual. Examples of data that must maintain integrity are bank records and electronic health records, both which could have significant negative ramifications if they were modified by an attacker. Technologies that provide integrity include cryptographic processes called “hashing”, which generate a digital fingerprint, or unique string, for an object.

Availability Availability is the assurance that the information or system will be accessible to users when it is needed. Examples of data that needs to be available would be, again, bank records and healthcare systems. Ensuring that there are redundant system components is important for providing for availability. As an example, multiple hard drives, redundant power supplies in servers, multiple web servers (clustered servers) in the event that one fails or must be taken down. The more critical availability is, the more redundancy that must be built in to the system.

Authentication Authentication is the verification that something, or someone, is what or who they are. Authentication of data is synonymous with integrity. We also can desire authentication of origin (knowing that an email was really sent by the person in the From field) or authentication of identity (is that person attempting to log in to the system really that individual?). Security components that provide for authentication include hashing (integrity), identity credentials, such as passwords and digital signatures, or digitally signing network packets to prove their origin.

Authorization Once a user is authenticated to the system, he is granted authorization to use its resources. Authorization allows you in to the network resources. In order to actually access the resources within the network, you need to have permission. Access controls provide that permission.

Access Control Access controls provides control over what the user can do at the resource. There are different types of access controls: Mandatory Access Controls (MAC) – They strictly control the operation that can be performed against an object. Considered the most rigid. Discretionary Access Controls (DAC) – Associated with UNIX and Windows system. The least strict. Object owners can determine the access others have to the object. Role-Based Access Controls (RBAC) – access is determined by the user’s role. For instance, in a Learning Management System, a student can only see his or her data, but a TA can see everyone and a Teacher can modify the controls.

Security Controls Security controls are safeguards or protections (countermeasures) that secure information or information systems. There are several types of security controls that can work together to provide a layered defense. Among these, preventive, deterrent, detective, and corrective controls.

Preventive Controls Preventive controls prevent a risk from happening. An example of a preventive control is an 8’ fence topped with razor wire.

Deterrent Controls While preventive controls prevent a risk from being actualized, deterrent controls dissuade the attacker from attacker. Using our example of the fence, while an 8’ fence may be a preventive control, a 4’ fence would serve as a deterrent. An individual might step over it, however most will not.

Corrective Controls Security controls will fail. At that point, we will need to rely on corrective controls. When combined with other controls, corrective controls provide a successful strategy for mitigating risks. An example of a corrective control are data backups.

Putting it All Together As a part of a layered defense approach, security controls should be combined. For example when implementing physical security controls to secure a data center you might implement the following: Preventive control Door locks on the data center doors. Detective control In the event that the attackers pick the lock, an alarm would sound when the intruder was detected in the room. Corrective control A security guard arrives on site in response to the alarm to secure the room.

People/Process Defense-in-Depth The concept of “defense-in-depth” is of military strategy origins, where multiple controls at different layers are implemented to secure the asset, so that when one layer fails, other controls are still in effect to mitigate the risk. These controls are generally implemented in hardware, software, and people. Data Software Hardware

Trusted Computing Finally, trusted computing is a broad term that relates to technologies that ensure that computers perform in expected ways, regardless of whether or not it has been compromised, enforced in hardware or software. The Federal Government requires purchases of its computers and operating systems, such as Microsoft Windows, to include a Trusted Platform Module (TPM) – a standard specifying a secure crypto processor that provides for platform integrity.

Other Cyber Defense Tools, Methods, and Components In addition to implementing access controls, cryptography, firewalls and intrusion detection systems as discussed, other cyber defense tools include patching O/S and applications, vulnerability scanning, and penetration testing.

Ethical Issues in Computer Security Most organizations that issue certifications to IT security personnel identify a number of ethical issues in their Codes of Ethics. For instance, as a Certified Ethical Hacker (CEH), EC-Council expects the individual to: Keep information learned in your professional work private, not sharing it without consent. Protect intellectual property rights. Provide competent service. Disclose conflicts of interest. Not associate with malicious hackers. Ensure that all penetration testing is legal and authorized. Failure to follow these standards can result in the loss of certification.

Access Control List An alternative representation is the access control list ; as shown in Figure 2-12 , this representation corresponds to columns of the access control matrix. There is one such list for each object, and the list shows all subjects who should have access to the object and what their access is. This approach differs from the directory list because there is one access control list per object; a directory is created for each subject. Although this difference seems small, there are some significant advantages to this approach.

The access control list can be maintained in sorted order, with * sorted as coming after all specific names. For example, Adams- Decl -* would come after all specific compartment designations for Adams. The search for access permission continues just until the first match. In the protocol, all explicit designations are checked before wild cards in any position, so a specific access right would take precedence over a wildcard right. The last entry on an access list could be *-*-*, specifying rights allowable to any user not explicitly on the access list. With this wildcard device, a shared public object can have a very short access list, explicitly naming the few subjects that should have access rights different from the default.

Privilege List A privilege list , sometimes called a directory , is a row of the access matrix, showing all those privileges or access rights for a given subject. One advantage of a privilege list is ease of revocation: If a user is removed from the system, the privilege list shows all objects to which the user has access so that those rights can be removed from the object

Procedure-Oriented Access Control By procedure-oriented protection, we imply the existence of a procedure that controls access to objects (for example, by performing its own user authentication to strengthen the basic protection provided by the basic operating system). In essence, the procedure forms a capsule around the object, permitting only certain specified accesses.

Cryptography Encryption or cryptography—the name means secret writing—is probably the strongest defense in the arsenal of computer security protection. Well-disguised data cannot easily be read, modified, or fabricated

Cryptanalysis A cryptanalyst’s chore is to break an encryption. That is, the cryptanalyst attempts to deduce the original meaning of a cipher text message. Better yet, the cryptanalyst hopes to determine which decrypting algorithm, and ideally which key, matches the encrypting algorithm to be able to break other messages encoded in the same way.

Symmetric and Asymmetric Encryption Systems Recall that the two basic kinds of encryptions are symmetric (also called “secret key”) and asymmetric (also called “public key”). Symmetric algorithms use one key, which works for both encryption and decryption. Usually, the decryption algorithm is closely related to the encryption one,essentially running the encryption in reverse. The symmetric systems provide a two-way channel to their users:

Stream and Block Ciphers One final characterization of encryption algorithms relates to the nature of the data to be concealed. Suppose you are streaming video, perhaps a movie, from a satellite. The stream may come in bursts, depending on such things as the load on the satellite and the speed at which the sender and receiver can operate. For such application you may use what is called stream encryption.

DES: The Data Encryption Standard The Data Encryption Standard (DES)[NBS77], a system developed for the U.S. government, was intended for use by the general public. Standards organizations have officially accepted it as a cryptographic standard both in the United States and abroad. Moreover, many hardware and software systems have been designed with DES

Cyber security security measure unit 1 ppt

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Cyber security security measure unit 1 ppt

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

TLE-9-Prepare-Salad-and-Dressing.pptxkkk

LESSON 1 ABOUT MEDIA AND INFORMATION.pptx

GRADE-8-AQUACULTURE-WEEKQ1.pdfdfawgwyrsewru

Feelings PP Game FOR CHILDREN IN ELEMENTARY SCHOOL.pptx

Jeopardy_Figures_of_Speech_Template.pptx [Autosaved].pptx

Jeopardy_Figures_of_Speech.pptxvdsvdsvsdvsd