SlideShare a Scribd company logo

Computer security concepts

G
G Prachi

This document provides an overview of key concepts in computer and information security. It discusses cyber security, data security, network security, and authentication, authorization and accounting (AAA). It also covers the NIST FIPS 199 standard for categorizing information systems based on potential impact, and different methodologies for modeling assets and threats such as STRIDE, PASTA, Trike and VAST. The key topics are introduced at a high level with definitions and examples to provide the essential information about common computer security concepts and frameworks.

1 of 45
Computer Security Concepts
Index • Introduction to information security • Introduction to data security • Introduction to network security • NIST FIPS 199 Standards • Assets and Threat Models
Computer Security • Cyber security, computer security or IT security is the protection of computer systems from theft of or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide.
Information Security • The internet is not a single network, but a worldwide collection of loosely connected networks – accessible by individual computer hosts, in a variety of ways, to anyone with a computer and a network connection. • Along with the convenience and easy access to information come risks. • Risks :- valuable information will be lost, stolen, changed, or misused. • If information is recorded electronically and is available on networked computers, it is more vulnerable than if the same information is printed on paper
Components of Security • Confidentiality, integrity and availability. • CIA triad is a model designed to guide policies for information security within an organization. • The model is also sometimes referred to as the AIC triad Availability
Confidentiality • Confidentiality is roughly equivalent to privacy. • Loss of confidentiality :- When information is read or copied by someone not authorized to do so. • Some information need security like- research data, medical and insurance records, new product specifications, and corporate investment strategies. • Access must be restricted to those authorized to view the data in question. • Data to be categorized according to the amount and type of damage that could be done should it fall into unintended hands.
Measures to be taken • Special training for those privy to such documents. • Strong passwords. • information about social engineering methods. • Example:- – Data encryption is a common method of ensuring confidentiality. – two-factor authentication
Integrity • Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. • Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people. • Loss of integrity :- When information is modified in unexpected ways .
Measures to be taken • File permissions and user access controls. • Version control may be used to prevent erroneous changes or accidental deletion by authorized users. • some means must be in place to detect any changes in data that might occur as a result of non-human-caused events such as an electromagnetic pulse (EMP) or server crash. • Backups or redundancies must be available to restore the affected data to its correct state.
Availability • Availability of information refers to ensuring that authorized parties are able to access the information when needed. • Information only has value if the right people can access it at the right times. • Information can be erased or become inaccessible, resulting in loss of availability. • Availability is often the most important attribute in service- oriented businesses that depend on information . • When users cannot access the network or specific services provided on the network, they experience a denial of service.
• To make information available organizations use authentication and authorization. • Security is strong when the means of authentication cannot later be refuted—the user cannot later deny that he or she performed the activity. This is known as non repudiation.
Measures to be taken • a backup copy may be stored in a geographically-isolated location, perhaps even in a fireproof, waterproof safe. • software such as firewalls and proxy servers can guard against downtime and unreachable data due to malicious actions such as denial-of-service (DoS) attacks and network intrusions.
Data Security • Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyber attack or a data breach. • Data security is an essential aspect of IT for organizations of every size and type. • Technologies:- – Disk encryption – Backup – Data masking – Data erasure – Software versus hardware based mechanism for protecting data.
• Difference between data security and data privacy. Data security is commonly referred to as the confidentiality, availability, and integrity of data. In other words, it is all of the practices and processes that are in place to ensure data isn't being used or accessed by unauthorized individuals or parties whereas data privacy is suitably defined as the appropriate use of data. When companies and merchants use data or information that is provided or entrusted to them, the data should be used according to the agreed purposes.
Disk Encryption • Disk encryption refers to encryption technology that encrypts data on a hard disk drive. • Disk encryption typically takes form in either software or hardware. • Disk encryption is often referred to as on-the-fly encryption (OTFE) or transparent encryption.
Software versus hardware based Mechanism for protecting data. • Software-based security solutions encrypt the data to protect it from theft. • However, a malicious program or a hacker could corrupt the data in order to make it unrecoverable, making the system unusable. • Hardware-based security solutions can prevent read and write access to data and hence offer very strong protection against tampering and unauthorized access.
• Operating systems are vulnerable to malicious attacks by viruses and hackers. • The data on hard disks can be corrupted after a malicious access is obtained. Software cannot manipulate the user privilege levels. • The hardware protects the operating system image and file system privileges from being tampered. • Therefore, a completely secure system can be created using a combination of hardware-based security and secure system administration policies.
Backups • Backups are used to ensure data which is lost can be recovered from another source. • It is considered essential to keep a backup of any data in most industries and the process is recommended for any files of importance to a user.
Data Masking • Data masking of structured data is the process of masking specific data within a database table or cell to ensure that data security is maintained and sensitive information is not exposed to unauthorized personnel. • This may include masking the data from users (for example - banking customer representatives can only see the last 4 digits of a customers national identity number), developers (who need real production data to test new software releases but should not be able to see sensitive financial data), outsourcing vendors, etc
Data erasure • Data erasure is a method of software based overwriting that completely destroys all electronic data residing on a hard drive or other digital media to ensure that no sensitive data is lost when an asset is retired or reused.
Network Security • Network security consists of the policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network- accessible resources. • Network security involves the authorization of access to data in a network, which is controlled by the network administrator. • Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority.
Types of attacks Basis for comparison Active Attack Passive Attack Basic Active attack tries to change the system resources or affect their operation. Tries to read or make use of information from the system but does not influence system resources. Modification in the information occurs does not take place Harm to the system Always causes damage to the system. Do not cause any harm. Threat to Integrity and availability Confidentiality
Contd… Basis for comparison Active attack Passive attack Emphasis is on Detection Prevention Example Spoofing , phishing , xss,etc Sniffing , port scanning, etc
Authentication , Authorization and Accounting • Authentication, authorization and accounting (AAA) is a system for tracking user activities on an IP-based network and controlling their access to network resources. • AAA is often is implemented as a dedicated server. • These combined processes are considered important for effective network management and security.
• Authentication – Authentication refers to unique identifying information from each system user, generally in the form of a username and password. System administrators monitor and add or delete authorized users from the system.
• Authorization – Refers to the process of adding or denying individual user access to a computer network and its resources. – Users may be given different authorization levels that limit their access to the network and associated resources. – Authorization determination may be based on geographical location restrictions, date or time-of-day restrictions, frequency of logins or multiple logins by single individuals or entities.
• Accounting – Refers to the record-keeping and tracking of user activities on a computer network. – For a given time period this may include, but is not limited to, real-time accounting of time spent accessing the network, the network services employed or accessed, capacity and trend analysis, network cost allocations, billing data, login data for user authentication and authorization, and the data or data amount accessed or transferred.
Types of AAA servers include: • Access Network AAA (AN-AAA) which communicates with radio network controllers • Broker AAA (B-AAA), which manages traffic between roaming partner networks • Home AAA (H-AAA)
Examples of AAA protocols include: • Diameter, a successor to Remote Authentication Dial-In User Service (RADIUS) • Terminal Access Controller Access-Control System (TACACS) • Terminal Access Controller Access-Control System Plus (TACACS+) a proprietary Cisco Systems protocol that provides access for network servers, routers and other network computing devices.
NIST FIPS 199 Standard • NIST: National Institute of Standards and Technology • FIPS: Federal Information Processing Standard • The FIPS Publication Series of the NIST is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 and the Federal Information Security Management Act of 2002 .
• This publication establishes security categories for both information1 and information systems. • The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfil its legal responsibilities, maintain its day-to-day functions, and protect individuals.
• Security Objectives : FIPS defines three security objectives for information and information systems: – CONFIDENTIALITY – INTEGRITY – AVAILABILITY
Assets and Threat Models • Threat modelling is a process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view. • The purpose of threat modelling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker.
• Threat modelling answers the questions : – “Where are the high-value assets?” – “Where am I most vulnerable to attack?” – “What are the most relevant threats?” – “Is there an attack vector that might go unnoticed?” • Early IT-based threat modelling methodologies were based on the concept of architectural patterns.
Threat Modelling Methodologies STRIDE Methodology – The STRIDE approach to threat modelling was introduced in 1999 at Microsoft, providing a mnemonic for developers to find 'threats to our products' . – STRIDE is a threat classification model. – It provides a mnemonic for security threats in six categories.
• The threat categories are: – Spoofing of user identity – Tampering – Repudiation – Information disclosure (privacy breach or data leak) – Denial of service (D.o.S) – Elevation of privilege
• The STRIDE was initially created as part of the process of threat modelling. • STRIDE is a model of threats, used to help reason and find threats to a system. • It is used in conjunction with a model of the target system that can be constructed in parallel. • This includes a full breakdown of processes, data stores, data flows and trust boundaries.
P.A.S.T.A. • The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology. • It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. • The intent of the method is to provide a dynamic threat identification, enumeration, and scoring process.
Seven steps of PASTA:- 1.Define Business Context of Application 2.Technology Enumeration 3.Application Decomposition 4.Threat Analysis 5.Weakness / Vulnerability Identification 6.Attack Simulation 7.Residual Risk Analysis
• Once the threat model is completed security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. • This methodology is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.
Trike • The focus of the Trike methodology is using threat models as a risk-management tool. • Within this framework, threat models are used to satisfy the security auditing process. • Threat models are based on a “requirements model.” • The requirements model establishes the stakeholder-defined “acceptable” level of risk assigned to each asset class.
• Analysis of the requirements model yields a threat model form which threats are enumerated and assigned risk values. • The completed threat model is used to construct a risk model based on asset, roles, actions, and calculated risk exposure.
VAST • VAST is an acronym for Visual, Agile, and Simple Threat modelling. • The underlying principle of this methodology is the necessity of scaling the threat modelling process across the infrastructure and entire SDLC, and integrating it seamlessly into an Agile software development methodology. • The methodology seeks to provide actionable outputs for the unique needs of various stakeholders: application architects and developers, cybersecurity personnel, and senior executives. • The methodology provides a unique application and infrastructure visualization scheme such that the creation and use of threat models do not require specific security subject matter expertise.
Operational Threat Model
Application Threat Model
Ad

Recommended

Computer security
Computer securityComputer security
Computer security
EktaVaswani2
 
TCP/IP Network ppt
TCP/IP Network pptTCP/IP Network ppt
TCP/IP Network ppt
extraganesh
 
Hydraulic and Pneumatic Drive System
Hydraulic and Pneumatic Drive SystemHydraulic and Pneumatic Drive System
Hydraulic and Pneumatic Drive System
turna67
 
Introduction to computer network
Introduction to computer networkIntroduction to computer network
Introduction to computer network
Ashita Agrawal
 
earthquake resistant ppt
earthquake resistant pptearthquake resistant ppt
earthquake resistant ppt
TEJPRAKASH KUMAWAT
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Computer hardware component. ppt
Computer hardware component. pptComputer hardware component. ppt
Computer hardware component. ppt
Naveen Sihag
 
Vb.net class notes
Vb.net class notesVb.net class notes
Vb.net class notes
priyadharshini murugan
 
System security
System securitySystem security
System security
sommerville-videos
 
Cia security model
Cia security modelCia security model
Cia security model
Imran Ahmed
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
Sheetal Verma
 
Operating System Security
Operating System SecurityOperating System Security
Operating System Security
Ramesh Upadhaya
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in it
lavakumar Thatisetti
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
GulnurAzat
 
Protection and security
Protection and securityProtection and security
Protection and security
mbadhi
 
Information security
Information security Information security
Information security
razendar79
 
Network security
Network security Network security
Network security
Madhumithah Ilango
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Network Security Issues
Network Security IssuesNetwork Security Issues
Network Security Issues
AfreenYousaf
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.ppt
Zaheer720515
 
Firewalls
FirewallsFirewalls
Firewalls
Ram Dutt Shukla
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
MLG College of Learning, Inc
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
introduction to system administration
introduction to system administrationintroduction to system administration
introduction to system administration
gamme123
 
Network security
Network securityNetwork security
Network security
Estiak Khan
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
Vishal Agarwal
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
selvapriyabiher
 
Information Security Audit and Analysis Module
Information Security Audit and Analysis ModuleInformation Security Audit and Analysis Module
Information Security Audit and Analysis Module
AvinashAvuthu2
 
Ad

More Related Content

What's hot (20)

System security
System securitySystem security
System security
sommerville-videos
 
Cia security model
Cia security modelCia security model
Cia security model
Imran Ahmed
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
Sheetal Verma
 
Operating System Security
Operating System SecurityOperating System Security
Operating System Security
Ramesh Upadhaya
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in it
lavakumar Thatisetti
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
GulnurAzat
 
Protection and security
Protection and securityProtection and security
Protection and security
mbadhi
 
Information security
Information security Information security
Information security
razendar79
 
Network security
Network security Network security
Network security
Madhumithah Ilango
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Network Security Issues
Network Security IssuesNetwork Security Issues
Network Security Issues
AfreenYousaf
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.ppt
Zaheer720515
 
Firewalls
FirewallsFirewalls
Firewalls
Ram Dutt Shukla
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
MLG College of Learning, Inc
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
introduction to system administration
introduction to system administrationintroduction to system administration
introduction to system administration
gamme123
 
Network security
Network securityNetwork security
Network security
Estiak Khan
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
Vishal Agarwal
 
System security
System securitySystem security
System security
sommerville-videos
 
Cia security model
Cia security modelCia security model
Cia security model
Imran Ahmed
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
Sheetal Verma
 
Operating System Security
Operating System SecurityOperating System Security
Operating System Security
Ramesh Upadhaya
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in it
lavakumar Thatisetti
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
GulnurAzat
 
Protection and security
Protection and securityProtection and security
Protection and security
mbadhi
 
Information security
Information security Information security
Information security
razendar79
 
Network security
Network security Network security
Network security
Madhumithah Ilango
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Network Security Issues
Network Security IssuesNetwork Security Issues
Network Security Issues
AfreenYousaf
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.ppt
Zaheer720515
 
Firewalls
FirewallsFirewalls
Firewalls
Ram Dutt Shukla
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
MLG College of Learning, Inc
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
introduction to system administration
introduction to system administrationintroduction to system administration
introduction to system administration
gamme123
 
Network security
Network securityNetwork security
Network security
Estiak Khan
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
Vishal Agarwal
 

Similar to Computer security concepts (20)

security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
selvapriyabiher
 
Information Security Audit and Analysis Module
Information Security Audit and Analysis ModuleInformation Security Audit and Analysis Module
Information Security Audit and Analysis Module
AvinashAvuthu2
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
Zara Nawaz
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)
Zara Nawaz
 
1713435528251_1709734122381_1708585866621_1708585864158_2.Information Systems...
1713435528251_1709734122381_1708585866621_1708585864158_2.Information Systems...1713435528251_1709734122381_1708585866621_1708585864158_2.Information Systems...
1713435528251_1709734122381_1708585866621_1708585864158_2.Information Systems...
NabankemaRukayiyah
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
dotco
 
ISBB_Chapter6.pptx
ISBB_Chapter6.pptxISBB_Chapter6.pptx
ISBB_Chapter6.pptx
AmanSoni665879
 
Information Security
Information SecurityInformation Security
Information Security
sonykhan3
 
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewalls
Murali Mohan
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptx
TikdiPatel
 
Unit 1 Network Fundamentals and Security .pptx
Unit 1 Network Fundamentals and Security .pptxUnit 1 Network Fundamentals and Security .pptx
Unit 1 Network Fundamentals and Security .pptx
Guna Dhondwad
 
Unit v
Unit vUnit v
Unit v
bharatnaruka90
 
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxWeek-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
yasirkhokhar7
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
dotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
Technocracy2
 
attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptx
JenetSilence
 
System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptx
rahulkumarcscsf21
 
Data Security Management - Data Analytics
Data Security Management - Data AnalyticsData Security Management - Data Analytics
Data Security Management - Data Analytics
rashiesoft
 
ISM-CS5750-01.pptx
ISM-CS5750-01.pptxISM-CS5750-01.pptx
ISM-CS5750-01.pptx
RashidSahito1
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
selvapriyabiher
 
Information Security Audit and Analysis Module
Information Security Audit and Analysis ModuleInformation Security Audit and Analysis Module
Information Security Audit and Analysis Module
AvinashAvuthu2
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
Zara Nawaz
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)
Zara Nawaz
 
1713435528251_1709734122381_1708585866621_1708585864158_2.Information Systems...
1713435528251_1709734122381_1708585866621_1708585864158_2.Information Systems...1713435528251_1709734122381_1708585866621_1708585864158_2.Information Systems...
1713435528251_1709734122381_1708585866621_1708585864158_2.Information Systems...
NabankemaRukayiyah
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
dotco
 
ISBB_Chapter6.pptx
ISBB_Chapter6.pptxISBB_Chapter6.pptx
ISBB_Chapter6.pptx
AmanSoni665879
 
Information Security
Information SecurityInformation Security
Information Security
sonykhan3
 
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewalls
Murali Mohan
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptx
TikdiPatel
 
Unit 1 Network Fundamentals and Security .pptx
Unit 1 Network Fundamentals and Security .pptxUnit 1 Network Fundamentals and Security .pptx
Unit 1 Network Fundamentals and Security .pptx
Guna Dhondwad
 
Unit v
Unit vUnit v
Unit v
bharatnaruka90
 
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxWeek-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
yasirkhokhar7
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
dotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
Technocracy2
 
attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptx
JenetSilence
 
System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptx
rahulkumarcscsf21
 
Data Security Management - Data Analytics
Data Security Management - Data AnalyticsData Security Management - Data Analytics
Data Security Management - Data Analytics
rashiesoft
 
ISM-CS5750-01.pptx
ISM-CS5750-01.pptxISM-CS5750-01.pptx
ISM-CS5750-01.pptx
RashidSahito1
 
Ad

More from G Prachi (20)

The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architecture
G Prachi
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
G Prachi
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
G Prachi
 
Network defenses
Network defensesNetwork defenses
Network defenses
G Prachi
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilities
G Prachi
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
G Prachi
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
Basic web security model
Basic web security modelBasic web security model
Basic web security model
G Prachi
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
G Prachi
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
G Prachi
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
G Prachi
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
G Prachi
 
Administering security
Administering securityAdministering security
Administering security
G Prachi
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
G Prachi
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
G Prachi
 
Program security
Program securityProgram security
Program security
G Prachi
 
Elementary cryptography
Elementary cryptographyElementary cryptography
Elementary cryptography
G Prachi
 
Information security introduction
Information security introductionInformation security introduction
Information security introduction
G Prachi
 
Technology, policy, privacy and freedom
Technology, policy, privacy and freedomTechnology, policy, privacy and freedom
Technology, policy, privacy and freedom
G Prachi
 
The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architecture
G Prachi
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
G Prachi
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
G Prachi
 
Network defenses
Network defensesNetwork defenses
Network defenses
G Prachi
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilities
G Prachi
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
G Prachi
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
Basic web security model
Basic web security modelBasic web security model
Basic web security model
G Prachi
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
G Prachi
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
G Prachi
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
G Prachi
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
G Prachi
 
Administering security
Administering securityAdministering security
Administering security
G Prachi
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
G Prachi
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
G Prachi
 
Program security
Program securityProgram security
Program security
G Prachi
 
Elementary cryptography
Elementary cryptographyElementary cryptography
Elementary cryptography
G Prachi
 
Information security introduction
Information security introductionInformation security introduction
Information security introduction
G Prachi
 
Technology, policy, privacy and freedom
Technology, policy, privacy and freedomTechnology, policy, privacy and freedom
Technology, policy, privacy and freedom
G Prachi
 
Ad

Recently uploaded (20)

IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 

Computer security concepts

  • 2. Index • Introduction to information security • Introduction to data security • Introduction to network security • NIST FIPS 199 Standards • Assets and Threat Models
  • 3. Computer Security • Cyber security, computer security or IT security is the protection of computer systems from theft of or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide.
  • 4. Information Security • The internet is not a single network, but a worldwide collection of loosely connected networks – accessible by individual computer hosts, in a variety of ways, to anyone with a computer and a network connection. • Along with the convenience and easy access to information come risks. • Risks :- valuable information will be lost, stolen, changed, or misused. • If information is recorded electronically and is available on networked computers, it is more vulnerable than if the same information is printed on paper
  • 5. Components of Security • Confidentiality, integrity and availability. • CIA triad is a model designed to guide policies for information security within an organization. • The model is also sometimes referred to as the AIC triad Availability
  • 6. Confidentiality • Confidentiality is roughly equivalent to privacy. • Loss of confidentiality :- When information is read or copied by someone not authorized to do so. • Some information need security like- research data, medical and insurance records, new product specifications, and corporate investment strategies. • Access must be restricted to those authorized to view the data in question. • Data to be categorized according to the amount and type of damage that could be done should it fall into unintended hands.
  • 7. Measures to be taken • Special training for those privy to such documents. • Strong passwords. • information about social engineering methods. • Example:- – Data encryption is a common method of ensuring confidentiality. – two-factor authentication
  • 8. Integrity • Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. • Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people. • Loss of integrity :- When information is modified in unexpected ways .
  • 9. Measures to be taken • File permissions and user access controls. • Version control may be used to prevent erroneous changes or accidental deletion by authorized users. • some means must be in place to detect any changes in data that might occur as a result of non-human-caused events such as an electromagnetic pulse (EMP) or server crash. • Backups or redundancies must be available to restore the affected data to its correct state.
  • 10. Availability • Availability of information refers to ensuring that authorized parties are able to access the information when needed. • Information only has value if the right people can access it at the right times. • Information can be erased or become inaccessible, resulting in loss of availability. • Availability is often the most important attribute in service- oriented businesses that depend on information . • When users cannot access the network or specific services provided on the network, they experience a denial of service.
  • 11. • To make information available organizations use authentication and authorization. • Security is strong when the means of authentication cannot later be refuted—the user cannot later deny that he or she performed the activity. This is known as non repudiation.
  • 12. Measures to be taken • a backup copy may be stored in a geographically-isolated location, perhaps even in a fireproof, waterproof safe. • software such as firewalls and proxy servers can guard against downtime and unreachable data due to malicious actions such as denial-of-service (DoS) attacks and network intrusions.
  • 13. Data Security • Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyber attack or a data breach. • Data security is an essential aspect of IT for organizations of every size and type. • Technologies:- – Disk encryption – Backup – Data masking – Data erasure – Software versus hardware based mechanism for protecting data.
  • 14. • Difference between data security and data privacy. Data security is commonly referred to as the confidentiality, availability, and integrity of data. In other words, it is all of the practices and processes that are in place to ensure data isn't being used or accessed by unauthorized individuals or parties whereas data privacy is suitably defined as the appropriate use of data. When companies and merchants use data or information that is provided or entrusted to them, the data should be used according to the agreed purposes.
  • 15. Disk Encryption • Disk encryption refers to encryption technology that encrypts data on a hard disk drive. • Disk encryption typically takes form in either software or hardware. • Disk encryption is often referred to as on-the-fly encryption (OTFE) or transparent encryption.
  • 16. Software versus hardware based Mechanism for protecting data. • Software-based security solutions encrypt the data to protect it from theft. • However, a malicious program or a hacker could corrupt the data in order to make it unrecoverable, making the system unusable. • Hardware-based security solutions can prevent read and write access to data and hence offer very strong protection against tampering and unauthorized access.
  • 17. • Operating systems are vulnerable to malicious attacks by viruses and hackers. • The data on hard disks can be corrupted after a malicious access is obtained. Software cannot manipulate the user privilege levels. • The hardware protects the operating system image and file system privileges from being tampered. • Therefore, a completely secure system can be created using a combination of hardware-based security and secure system administration policies.
  • 18. Backups • Backups are used to ensure data which is lost can be recovered from another source. • It is considered essential to keep a backup of any data in most industries and the process is recommended for any files of importance to a user.
  • 19. Data Masking • Data masking of structured data is the process of masking specific data within a database table or cell to ensure that data security is maintained and sensitive information is not exposed to unauthorized personnel. • This may include masking the data from users (for example - banking customer representatives can only see the last 4 digits of a customers national identity number), developers (who need real production data to test new software releases but should not be able to see sensitive financial data), outsourcing vendors, etc
  • 20. Data erasure • Data erasure is a method of software based overwriting that completely destroys all electronic data residing on a hard drive or other digital media to ensure that no sensitive data is lost when an asset is retired or reused.
  • 21. Network Security • Network security consists of the policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network- accessible resources. • Network security involves the authorization of access to data in a network, which is controlled by the network administrator. • Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority.
  • 22. Types of attacks Basis for comparison Active Attack Passive Attack Basic Active attack tries to change the system resources or affect their operation. Tries to read or make use of information from the system but does not influence system resources. Modification in the information occurs does not take place Harm to the system Always causes damage to the system. Do not cause any harm. Threat to Integrity and availability Confidentiality
  • 23. Contd… Basis for comparison Active attack Passive attack Emphasis is on Detection Prevention Example Spoofing , phishing , xss,etc Sniffing , port scanning, etc
  • 24. Authentication , Authorization and Accounting • Authentication, authorization and accounting (AAA) is a system for tracking user activities on an IP-based network and controlling their access to network resources. • AAA is often is implemented as a dedicated server. • These combined processes are considered important for effective network management and security.
  • 25. • Authentication – Authentication refers to unique identifying information from each system user, generally in the form of a username and password. System administrators monitor and add or delete authorized users from the system.
  • 26. • Authorization – Refers to the process of adding or denying individual user access to a computer network and its resources. – Users may be given different authorization levels that limit their access to the network and associated resources. – Authorization determination may be based on geographical location restrictions, date or time-of-day restrictions, frequency of logins or multiple logins by single individuals or entities.
  • 27. • Accounting – Refers to the record-keeping and tracking of user activities on a computer network. – For a given time period this may include, but is not limited to, real-time accounting of time spent accessing the network, the network services employed or accessed, capacity and trend analysis, network cost allocations, billing data, login data for user authentication and authorization, and the data or data amount accessed or transferred.
  • 28. Types of AAA servers include: • Access Network AAA (AN-AAA) which communicates with radio network controllers • Broker AAA (B-AAA), which manages traffic between roaming partner networks • Home AAA (H-AAA)
  • 29. Examples of AAA protocols include: • Diameter, a successor to Remote Authentication Dial-In User Service (RADIUS) • Terminal Access Controller Access-Control System (TACACS) • Terminal Access Controller Access-Control System Plus (TACACS+) a proprietary Cisco Systems protocol that provides access for network servers, routers and other network computing devices.
  • 30. NIST FIPS 199 Standard • NIST: National Institute of Standards and Technology • FIPS: Federal Information Processing Standard • The FIPS Publication Series of the NIST is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 and the Federal Information Security Management Act of 2002 .
  • 31. • This publication establishes security categories for both information1 and information systems. • The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfil its legal responsibilities, maintain its day-to-day functions, and protect individuals.
  • 32. • Security Objectives : FIPS defines three security objectives for information and information systems: – CONFIDENTIALITY – INTEGRITY – AVAILABILITY
  • 33. Assets and Threat Models • Threat modelling is a process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view. • The purpose of threat modelling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker.
  • 34. • Threat modelling answers the questions : – “Where are the high-value assets?” – “Where am I most vulnerable to attack?” – “What are the most relevant threats?” – “Is there an attack vector that might go unnoticed?” • Early IT-based threat modelling methodologies were based on the concept of architectural patterns.
  • 35. Threat Modelling Methodologies STRIDE Methodology – The STRIDE approach to threat modelling was introduced in 1999 at Microsoft, providing a mnemonic for developers to find 'threats to our products' . – STRIDE is a threat classification model. – It provides a mnemonic for security threats in six categories.
  • 36. • The threat categories are: – Spoofing of user identity – Tampering – Repudiation – Information disclosure (privacy breach or data leak) – Denial of service (D.o.S) – Elevation of privilege
  • 37. • The STRIDE was initially created as part of the process of threat modelling. • STRIDE is a model of threats, used to help reason and find threats to a system. • It is used in conjunction with a model of the target system that can be constructed in parallel. • This includes a full breakdown of processes, data stores, data flows and trust boundaries.
  • 38. P.A.S.T.A. • The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology. • It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. • The intent of the method is to provide a dynamic threat identification, enumeration, and scoring process.
  • 39. Seven steps of PASTA:- 1.Define Business Context of Application 2.Technology Enumeration 3.Application Decomposition 4.Threat Analysis 5.Weakness / Vulnerability Identification 6.Attack Simulation 7.Residual Risk Analysis
  • 40. • Once the threat model is completed security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. • This methodology is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.
  • 41. Trike • The focus of the Trike methodology is using threat models as a risk-management tool. • Within this framework, threat models are used to satisfy the security auditing process. • Threat models are based on a “requirements model.” • The requirements model establishes the stakeholder-defined “acceptable” level of risk assigned to each asset class.
  • 42. • Analysis of the requirements model yields a threat model form which threats are enumerated and assigned risk values. • The completed threat model is used to construct a risk model based on asset, roles, actions, and calculated risk exposure.
  • 43. VAST • VAST is an acronym for Visual, Agile, and Simple Threat modelling. • The underlying principle of this methodology is the necessity of scaling the threat modelling process across the infrastructure and entire SDLC, and integrating it seamlessly into an Agile software development methodology. • The methodology seeks to provide actionable outputs for the unique needs of various stakeholders: application architects and developers, cybersecurity personnel, and senior executives. • The methodology provides a unique application and infrastructure visualization scheme such that the creation and use of threat models do not require specific security subject matter expertise.

Editor's Notes

  • #6: Confidentiality:- is the ability to hide information from those people unauthorized to view it. Integrity:- The ability to ensure that data is an accurate and unchanged representation of the original secure information. One type of security attack is to intercept some important data and make changes to it before sending it on to the intended receiver. Availability:- It is important to ensure that the information concerned is readily accessible to the authorized viewer at all times. Some types of security attack attempt to deny access to the appropriate user, either for the sake of inconveniencing them, or because there is some secondary effect. For example, by breaking the web site for a particular search engine, a rival may become more popular.
  • #16: OTFE:- It is a discontinued open source computer program for on-the-fly disk encryption (OTFE). On Microsoft Windows, and Windows Mobile (using FreeOTFE4PDA), it can create a virtual drive within a file or partition, to which anything written is automatically encrypted before being stored on a computer's hard or USB drive. It is similar in function to other disk encryption programs including TrueCrypt and Microsoft's BitLocker.
  • #24: Spoofing:- A spoofing attack is a situation in which a person or program successfully masquerades as another by falsifying data, to gain an illegitimate advantage. Phishing:- Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. XSS:- (Cross Site Scripting)- XSS is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Sniffing:- Sniffing attack or a sniffer attack, in context of network security, corresponds to theft or interception of data by capturing the network traffic using a sniffer (an application aimed at capturing network packets). Port Scanning:- A port scan attack, therefore, occurs when an attacker sends packets to your machine, varying the destination port. The attacker can use this to find out what services you are running and to get a pretty good idea of the operating system you have. Most Internet sites get a dozen or more port scans per day.
  • #34: Assets: A useful or valuable thing or person. Property assets consist of both tangible and intangible items that can be assigned a value.  Intangible assets include reputation and proprietary information.  Information may include databases, software code, critical company records, and many other intangible items. An asset is what we’re trying to protect. Threat:- Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat is what we’re trying to protect against.
  • #37: Tampering:- Intentional modification of products in a way that would make them harmful to the consumer. Tampering with evidence, a form of criminal falsification. Witness tampering, an illegal attempt to coerce witnesses called to testify in a legal proceeding. Repudiation:- Repudiation as the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions. Without adequate auditing, repudiation attacks are difficult to prove. DoS:- A denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
  • #39: Seven steps of PASTA:- 1. Define Business Context of Application:- This considers the inherent application risk profile and address other business impact considerations early in the SDLC or for given Sprint under Scrum activities. 2. Technology Enumeration:- You can’t protect what you don’t know is the philosophy behind this stage. It’s intended to decompose the technology stack that supports the application components that realize the business objectives identified from Stage 1. 3. Application Decomposition:- Focuses on understanding the data flows amongst application components and services in the application threat model.
  • #40: 4. Threat Analysis:- Reviews threat assertions from data within the environment as well as industry threat intelligence that is relevant to service, data, and deployment model. 5. Weakness / Vulnerability Identification:- Identifies the vulnerabilities and weaknesses within the application design and code and correlates to see if it supports the threat assertions from the prior stage. 6. Attack Simulation:- This stage focuses on emulating attacks that could exploit identified weaknesses/vulnerabilities from the prior stage. It helps to also determine the threat viability via attack patterns. 7. Residual Risk Analysis:- This stage centers around remediating vulnerabilities or weaknesses in code or design that can facilitate threats and underlying attack patterns. It may warrant some risk acceptance by broader application owners or development managers.
  • #44: SDLC:- software development life cycle
  • #45: Operational threat modeling looks at the end-to-end data flow of the organization’s infrastructure. The first step in operational threat modeling is to identify the operational environment, including shared components – i.e. SSO servers, encryption servers, database servers, and so forth. Next, every component’s attributes may be provided to give additional context to the potential threats.
  • #46: An application threat model should focus solely on the application for which it is created. The primary purpose is to (1) identify the threats that are pertinent to that application, and (2) to indicate how developers need to address those threats. And the most effective means to accomplishing these purposes is to start with the creation of a process flow diagram (PFD).