KEMBAR78
Computer security concepts | PPTX
PG
Uploaded byPrachi Gulihar
10,569 views

Computer security concepts

This document provides an overview of key concepts in computer and information security. It discusses cyber security, data security, network security, and authentication, authorization and accounting (AAA). It also covers the NIST FIPS 199 standard for categorizing information systems based on potential impact, and different methodologies for modeling assets and threats such as STRIDE, PASTA, Trike and VAST. The key topics are introduced at a high level with definitions and examples to provide the essential information about common computer security concepts and frameworks.

Computer Security Concepts
Index • Introduction to information security • Introduction to data security • Introduction to network security • NIST FIPS 199 Standards • Assets and Threat Models
Computer Security • Cyber security, computer security or IT security is the protection of computer systems from theft of or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide.
Information Security • The internet is not a single network, but a worldwide collection of loosely connected networks – accessible by individual computer hosts, in a variety of ways, to anyone with a computer and a network connection. • Along with the convenience and easy access to information come risks. • Risks :- valuable information will be lost, stolen, changed, or misused. • If information is recorded electronically and is available on networked computers, it is more vulnerable than if the same information is printed on paper
Components of Security • Confidentiality, integrity and availability. • CIA triad is a model designed to guide policies for information security within an organization. • The model is also sometimes referred to as the AIC triad Availability
Confidentiality • Confidentiality is roughly equivalent to privacy. • Loss of confidentiality :- When information is read or copied by someone not authorized to do so. • Some information need security like- research data, medical and insurance records, new product specifications, and corporate investment strategies. • Access must be restricted to those authorized to view the data in question. • Data to be categorized according to the amount and type of damage that could be done should it fall into unintended hands.
Measures to be taken • Special training for those privy to such documents. • Strong passwords. • information about social engineering methods. • Example:- – Data encryption is a common method of ensuring confidentiality. – two-factor authentication
Integrity • Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. • Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people. • Loss of integrity :- When information is modified in unexpected ways .
Measures to be taken • File permissions and user access controls. • Version control may be used to prevent erroneous changes or accidental deletion by authorized users. • some means must be in place to detect any changes in data that might occur as a result of non-human-caused events such as an electromagnetic pulse (EMP) or server crash. • Backups or redundancies must be available to restore the affected data to its correct state.
Availability • Availability of information refers to ensuring that authorized parties are able to access the information when needed. • Information only has value if the right people can access it at the right times. • Information can be erased or become inaccessible, resulting in loss of availability. • Availability is often the most important attribute in service- oriented businesses that depend on information . • When users cannot access the network or specific services provided on the network, they experience a denial of service.
• To make information available organizations use authentication and authorization. • Security is strong when the means of authentication cannot later be refuted—the user cannot later deny that he or she performed the activity. This is known as non repudiation.
Measures to be taken • a backup copy may be stored in a geographically-isolated location, perhaps even in a fireproof, waterproof safe. • software such as firewalls and proxy servers can guard against downtime and unreachable data due to malicious actions such as denial-of-service (DoS) attacks and network intrusions.
Data Security • Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyber attack or a data breach. • Data security is an essential aspect of IT for organizations of every size and type. • Technologies:- – Disk encryption – Backup – Data masking – Data erasure – Software versus hardware based mechanism for protecting data.
• Difference between data security and data privacy. Data security is commonly referred to as the confidentiality, availability, and integrity of data. In other words, it is all of the practices and processes that are in place to ensure data isn't being used or accessed by unauthorized individuals or parties whereas data privacy is suitably defined as the appropriate use of data. When companies and merchants use data or information that is provided or entrusted to them, the data should be used according to the agreed purposes.
Disk Encryption • Disk encryption refers to encryption technology that encrypts data on a hard disk drive. • Disk encryption typically takes form in either software or hardware. • Disk encryption is often referred to as on-the-fly encryption (OTFE) or transparent encryption.
Software versus hardware based Mechanism for protecting data. • Software-based security solutions encrypt the data to protect it from theft. • However, a malicious program or a hacker could corrupt the data in order to make it unrecoverable, making the system unusable. • Hardware-based security solutions can prevent read and write access to data and hence offer very strong protection against tampering and unauthorized access.
• Operating systems are vulnerable to malicious attacks by viruses and hackers. • The data on hard disks can be corrupted after a malicious access is obtained. Software cannot manipulate the user privilege levels. • The hardware protects the operating system image and file system privileges from being tampered. • Therefore, a completely secure system can be created using a combination of hardware-based security and secure system administration policies.
Backups • Backups are used to ensure data which is lost can be recovered from another source. • It is considered essential to keep a backup of any data in most industries and the process is recommended for any files of importance to a user.
Data Masking • Data masking of structured data is the process of masking specific data within a database table or cell to ensure that data security is maintained and sensitive information is not exposed to unauthorized personnel. • This may include masking the data from users (for example - banking customer representatives can only see the last 4 digits of a customers national identity number), developers (who need real production data to test new software releases but should not be able to see sensitive financial data), outsourcing vendors, etc
Data erasure • Data erasure is a method of software based overwriting that completely destroys all electronic data residing on a hard drive or other digital media to ensure that no sensitive data is lost when an asset is retired or reused.
Network Security • Network security consists of the policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network- accessible resources. • Network security involves the authorization of access to data in a network, which is controlled by the network administrator. • Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority.
Types of attacks Basis for comparison Active Attack Passive Attack Basic Active attack tries to change the system resources or affect their operation. Tries to read or make use of information from the system but does not influence system resources. Modification in the information occurs does not take place Harm to the system Always causes damage to the system. Do not cause any harm. Threat to Integrity and availability Confidentiality
Contd… Basis for comparison Active attack Passive attack Emphasis is on Detection Prevention Example Spoofing , phishing , xss,etc Sniffing , port scanning, etc
Authentication , Authorization and Accounting • Authentication, authorization and accounting (AAA) is a system for tracking user activities on an IP-based network and controlling their access to network resources. • AAA is often is implemented as a dedicated server. • These combined processes are considered important for effective network management and security.
• Authentication – Authentication refers to unique identifying information from each system user, generally in the form of a username and password. System administrators monitor and add or delete authorized users from the system.
• Authorization – Refers to the process of adding or denying individual user access to a computer network and its resources. – Users may be given different authorization levels that limit their access to the network and associated resources. – Authorization determination may be based on geographical location restrictions, date or time-of-day restrictions, frequency of logins or multiple logins by single individuals or entities.
• Accounting – Refers to the record-keeping and tracking of user activities on a computer network. – For a given time period this may include, but is not limited to, real-time accounting of time spent accessing the network, the network services employed or accessed, capacity and trend analysis, network cost allocations, billing data, login data for user authentication and authorization, and the data or data amount accessed or transferred.
Types of AAA servers include: • Access Network AAA (AN-AAA) which communicates with radio network controllers • Broker AAA (B-AAA), which manages traffic between roaming partner networks • Home AAA (H-AAA)
Examples of AAA protocols include: • Diameter, a successor to Remote Authentication Dial-In User Service (RADIUS) • Terminal Access Controller Access-Control System (TACACS) • Terminal Access Controller Access-Control System Plus (TACACS+) a proprietary Cisco Systems protocol that provides access for network servers, routers and other network computing devices.
NIST FIPS 199 Standard • NIST: National Institute of Standards and Technology • FIPS: Federal Information Processing Standard • The FIPS Publication Series of the NIST is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 and the Federal Information Security Management Act of 2002 .
• This publication establishes security categories for both information1 and information systems. • The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfil its legal responsibilities, maintain its day-to-day functions, and protect individuals.
• Security Objectives : FIPS defines three security objectives for information and information systems: – CONFIDENTIALITY – INTEGRITY – AVAILABILITY
Assets and Threat Models • Threat modelling is a process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view. • The purpose of threat modelling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker.
• Threat modelling answers the questions : – “Where are the high-value assets?” – “Where am I most vulnerable to attack?” – “What are the most relevant threats?” – “Is there an attack vector that might go unnoticed?” • Early IT-based threat modelling methodologies were based on the concept of architectural patterns.
Threat Modelling Methodologies STRIDE Methodology – The STRIDE approach to threat modelling was introduced in 1999 at Microsoft, providing a mnemonic for developers to find 'threats to our products' . – STRIDE is a threat classification model. – It provides a mnemonic for security threats in six categories.
• The threat categories are: – Spoofing of user identity – Tampering – Repudiation – Information disclosure (privacy breach or data leak) – Denial of service (D.o.S) – Elevation of privilege
• The STRIDE was initially created as part of the process of threat modelling. • STRIDE is a model of threats, used to help reason and find threats to a system. • It is used in conjunction with a model of the target system that can be constructed in parallel. • This includes a full breakdown of processes, data stores, data flows and trust boundaries.
P.A.S.T.A. • The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology. • It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. • The intent of the method is to provide a dynamic threat identification, enumeration, and scoring process.
Seven steps of PASTA:- 1.Define Business Context of Application 2.Technology Enumeration 3.Application Decomposition 4.Threat Analysis 5.Weakness / Vulnerability Identification 6.Attack Simulation 7.Residual Risk Analysis
• Once the threat model is completed security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. • This methodology is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.
Trike • The focus of the Trike methodology is using threat models as a risk-management tool. • Within this framework, threat models are used to satisfy the security auditing process. • Threat models are based on a “requirements model.” • The requirements model establishes the stakeholder-defined “acceptable” level of risk assigned to each asset class.
• Analysis of the requirements model yields a threat model form which threats are enumerated and assigned risk values. • The completed threat model is used to construct a risk model based on asset, roles, actions, and calculated risk exposure.
VAST • VAST is an acronym for Visual, Agile, and Simple Threat modelling. • The underlying principle of this methodology is the necessity of scaling the threat modelling process across the infrastructure and entire SDLC, and integrating it seamlessly into an Agile software development methodology. • The methodology seeks to provide actionable outputs for the unique needs of various stakeholders: application architects and developers, cybersecurity personnel, and senior executives. • The methodology provides a unique application and infrastructure visualization scheme such that the creation and use of threat models do not require specific security subject matter expertise.
Operational Threat Model
Application Threat Model

More Related Content

PDF
OPERATING SYSTEM SECURITY
byRohitK71
 
PPT
Security Design Principles.ppt
byDrBasemMohamedElomda
 
PPT
Design for security in operating system
byBhagyashree Barde
 
PPTX
Mandatory access control for information security
byAjit Dadresa
 
PPTX
Authentication
byprimeteacher32
 
DOCX
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
byRajkumars275092
 
PPTX
Operating system security
bySarmad Makhdoom
 
PPTX
Protection and security of operating system
byAbdullah Khosa
 
OPERATING SYSTEM SECURITY
byRohitK71
 
Security Design Principles.ppt
byDrBasemMohamedElomda
 
Design for security in operating system
byBhagyashree Barde
 
Mandatory access control for information security
byAjit Dadresa
 
Authentication
byprimeteacher32
 
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
byRajkumars275092
 
Operating system security
bySarmad Makhdoom
 
Protection and security of operating system
byAbdullah Khosa
 

What's hot

PPTX
Operating system security
byRamesh Ogania
 
PPT
chapter 1. Introduction to Information Security
byelmuhammadmuhammad
 
PPTX
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
byRAMESHBABU311293
 
PPTX
Data Encryption Standard (DES)
byHaris Ahmed
 
PPTX
System security
byinvertis university
 
PPT
Security Attacks.ppt
byZaheer720515
 
PPTX
Database security
byMaryamAsghar9
 
PPT
Introduction to information security
byKumawat Dharmpal
 
PPT
Parallel computing
byVinay Gupta
 
PPTX
System Security-Chapter 1
byVamsee Krishna Kiran
 
PPTX
Operating System Security
byRamesh Upadhaya
 
PDF
Intruders
byDr.Florence Dayana
 
PPTX
Cryptography and network security
bypatisa
 
PDF
Web Security
byDr.Florence Dayana
 
PPT
Association rule mining
byAcad
 
PPTX
Email security
byBaliram Yadav
 
PPTX
Introduction to Cryptography
byMd. Afif Al Mamun
 
PPT
Symmetric and Asymmetric Encryption.ppt
byHassanAli980906
 
PDF
Email security presentation
bySubhradeepMaji
 
PPT
Information System Security(lecture 1)
byAli Habeeb
 
Operating system security
byRamesh Ogania
 
chapter 1. Introduction to Information Security
byelmuhammadmuhammad
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
byRAMESHBABU311293
 
Data Encryption Standard (DES)
byHaris Ahmed
 
System security
byinvertis university
 
Security Attacks.ppt
byZaheer720515
 
Database security
byMaryamAsghar9
 
Introduction to information security
byKumawat Dharmpal
 
Parallel computing
byVinay Gupta
 
System Security-Chapter 1
byVamsee Krishna Kiran
 
Operating System Security
byRamesh Upadhaya
 
Intruders
byDr.Florence Dayana
 
Cryptography and network security
bypatisa
 
Web Security
byDr.Florence Dayana
 
Association rule mining
byAcad
 
Email security
byBaliram Yadav
 
Introduction to Cryptography
byMd. Afif Al Mamun
 
Symmetric and Asymmetric Encryption.ppt
byHassanAli980906
 
Email security presentation
bySubhradeepMaji
 
Information System Security(lecture 1)
byAli Habeeb
 

Similar to Computer security concepts

PDF
CYB 102 – Fundamentals of Cyber Security .pdf
byAbolarinwa
 
PPT
Data+security+sp10
byismaelhaider
 
PPTX
Information security ist lecture
byZara Nawaz
 
PPTX
information security (network security methods)
byZara Nawaz
 
PPTX
Data Network Security
byAtif Rehmat
 
PPTX
Information Security
byUmangThakkar26
 
PPT
Lecture Data Classification And Data Loss Prevention
byNicholas Davis
 
PPT
Data Classification And Loss Prevention
byNicholas Davis
 
PPT
Lecture data classification_and_data_loss_prevention
byNicholas Davis
 
PPTX
1713435528251_1709734122381_1708585866621_1708585864158_2.Information Systems...
byNabankemaRukayiyah
 
PPTX
crisc_wk_5.pptx
bydotco
 
PPT
CompTIA Security+ Module1: Security fundamentals
byGanbayar Sukhbaatar
 
PPTX
Information Security
byAlok Katiyar
 
PDF
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
byJenna Murray
 
PDF
Chapter1 Information and Network Security
byrussianacc2277
 
PPTX
Date security introduction
byLeo Mark Villar
 
PPT
educational content,educational content,educational content,
byOlajide Kuku
 
PPTX
Information Security Lecture One for Basic
byhassankhan978073
 
PPT
3e - Security And Privacy
byMISY
 
PPT
3e - Computer Crime
byMISY
 
CYB 102 – Fundamentals of Cyber Security .pdf
byAbolarinwa
 
Data+security+sp10
byismaelhaider
 
Information security ist lecture
byZara Nawaz
 
information security (network security methods)
byZara Nawaz
 
Data Network Security
byAtif Rehmat
 
Information Security
byUmangThakkar26
 
Lecture Data Classification And Data Loss Prevention
byNicholas Davis
 
Data Classification And Loss Prevention
byNicholas Davis
 
Lecture data classification_and_data_loss_prevention
byNicholas Davis
 
1713435528251_1709734122381_1708585866621_1708585864158_2.Information Systems...
byNabankemaRukayiyah
 
crisc_wk_5.pptx
bydotco
 
CompTIA Security+ Module1: Security fundamentals
byGanbayar Sukhbaatar
 
Information Security
byAlok Katiyar
 
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
byJenna Murray
 
Chapter1 Information and Network Security
byrussianacc2277
 
Date security introduction
byLeo Mark Villar
 
educational content,educational content,educational content,
byOlajide Kuku
 
Information Security Lecture One for Basic
byhassankhan978073
 
3e - Security And Privacy
byMISY
 
3e - Computer Crime
byMISY
 

More from Prachi Gulihar

PPTX
The trusted computing architecture
byPrachi Gulihar
 
PPTX
Security risk management
byPrachi Gulihar
 
PPTX
Mobile platform security models
byPrachi Gulihar
 
PPTX
Malicious software and software security
byPrachi Gulihar
 
PPTX
Network defenses
byPrachi Gulihar
 
PPTX
Network protocols and vulnerabilities
byPrachi Gulihar
 
PPTX
Web application security part 02
byPrachi Gulihar
 
PPTX
Web application security part 01
byPrachi Gulihar
 
PPTX
Basic web security model
byPrachi Gulihar
 
PPTX
Least privilege, access control, operating system security
byPrachi Gulihar
 
PPTX
Dealing with legacy code
byPrachi Gulihar
 
PPTX
Exploitation techniques and fuzzing
byPrachi Gulihar
 
PPTX
Control hijacking
byPrachi Gulihar
 
PPTX
Administering security
byPrachi Gulihar
 
PPTX
Database security and security in networks
byPrachi Gulihar
 
PPTX
Protection in general purpose operating system
byPrachi Gulihar
 
PPTX
Program security
byPrachi Gulihar
 
PPT
Elementary cryptography
byPrachi Gulihar
 
PPT
Information security introduction
byPrachi Gulihar
 
PPTX
Technology, policy, privacy and freedom
byPrachi Gulihar
 
The trusted computing architecture
byPrachi Gulihar
 
Security risk management
byPrachi Gulihar
 
Mobile platform security models
byPrachi Gulihar
 
Malicious software and software security
byPrachi Gulihar
 
Network defenses
byPrachi Gulihar
 
Network protocols and vulnerabilities
byPrachi Gulihar
 
Web application security part 02
byPrachi Gulihar
 
Web application security part 01
byPrachi Gulihar
 
Basic web security model
byPrachi Gulihar
 
Least privilege, access control, operating system security
byPrachi Gulihar
 
Dealing with legacy code
byPrachi Gulihar
 
Exploitation techniques and fuzzing
byPrachi Gulihar
 
Control hijacking
byPrachi Gulihar
 
Administering security
byPrachi Gulihar
 
Database security and security in networks
byPrachi Gulihar
 
Protection in general purpose operating system
byPrachi Gulihar
 
Program security
byPrachi Gulihar
 
Elementary cryptography
byPrachi Gulihar
 
Information security introduction
byPrachi Gulihar
 
Technology, policy, privacy and freedom
byPrachi Gulihar
 

Recently uploaded

PDF
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
Dragino商品カタログ 2025.7 LoRaWAN・NB-IoT・LTE-M(LTE Cat.M1)対応センサーリスト
byCRI Japan, Inc.
 
PPTX
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PPTX
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
PPTX
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
PDF
NDP Act GAID Simplified: From Confusion to Compliance
byMuiz Adeleke
 
PDF
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
PPTX
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
PDF
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PPTX
"Towards React Server Components in Clojure", Roman Liutikov
byFwdays
 
PDF
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
PDF
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
PPTX
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
PDF
2025 October Patch Tuesday
byIvanti
 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PDF
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
Dragino商品カタログ 2025.7 LoRaWAN・NB-IoT・LTE-M(LTE Cat.M1)対応センサーリスト
byCRI Japan, Inc.
 
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
NDP Act GAID Simplified: From Confusion to Compliance
byMuiz Adeleke
 
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
"Towards React Server Components in Clojure", Roman Liutikov
byFwdays
 
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
2025 October Patch Tuesday
byIvanti
 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 

Computer security concepts

  • 1.
  • 2.
    Index • Introduction toinformation security • Introduction to data security • Introduction to network security • NIST FIPS 199 Standards • Assets and Threat Models
  • 3.
    Computer Security • Cybersecurity, computer security or IT security is the protection of computer systems from theft of or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide.
  • 4.
    Information Security • Theinternet is not a single network, but a worldwide collection of loosely connected networks – accessible by individual computer hosts, in a variety of ways, to anyone with a computer and a network connection. • Along with the convenience and easy access to information come risks. • Risks :- valuable information will be lost, stolen, changed, or misused. • If information is recorded electronically and is available on networked computers, it is more vulnerable than if the same information is printed on paper
  • 5.
    Components of Security •Confidentiality, integrity and availability. • CIA triad is a model designed to guide policies for information security within an organization. • The model is also sometimes referred to as the AIC triad Availability
  • 6.
    Confidentiality • Confidentiality isroughly equivalent to privacy. • Loss of confidentiality :- When information is read or copied by someone not authorized to do so. • Some information need security like- research data, medical and insurance records, new product specifications, and corporate investment strategies. • Access must be restricted to those authorized to view the data in question. • Data to be categorized according to the amount and type of damage that could be done should it fall into unintended hands.
  • 7.
    Measures to betaken • Special training for those privy to such documents. • Strong passwords. • information about social engineering methods. • Example:- – Data encryption is a common method of ensuring confidentiality. – two-factor authentication
  • 8.
    Integrity • Integrity involvesmaintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. • Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people. • Loss of integrity :- When information is modified in unexpected ways .
  • 9.
    Measures to betaken • File permissions and user access controls. • Version control may be used to prevent erroneous changes or accidental deletion by authorized users. • some means must be in place to detect any changes in data that might occur as a result of non-human-caused events such as an electromagnetic pulse (EMP) or server crash. • Backups or redundancies must be available to restore the affected data to its correct state.
  • 10.
    Availability • Availability ofinformation refers to ensuring that authorized parties are able to access the information when needed. • Information only has value if the right people can access it at the right times. • Information can be erased or become inaccessible, resulting in loss of availability. • Availability is often the most important attribute in service- oriented businesses that depend on information . • When users cannot access the network or specific services provided on the network, they experience a denial of service.
  • 11.
    • To makeinformation available organizations use authentication and authorization. • Security is strong when the means of authentication cannot later be refuted—the user cannot later deny that he or she performed the activity. This is known as non repudiation.
  • 12.
    Measures to betaken • a backup copy may be stored in a geographically-isolated location, perhaps even in a fireproof, waterproof safe. • software such as firewalls and proxy servers can guard against downtime and unreachable data due to malicious actions such as denial-of-service (DoS) attacks and network intrusions.
  • 13.
    Data Security • Datasecurity means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyber attack or a data breach. • Data security is an essential aspect of IT for organizations of every size and type. • Technologies:- – Disk encryption – Backup – Data masking – Data erasure – Software versus hardware based mechanism for protecting data.
  • 14.
    • Difference betweendata security and data privacy. Data security is commonly referred to as the confidentiality, availability, and integrity of data. In other words, it is all of the practices and processes that are in place to ensure data isn't being used or accessed by unauthorized individuals or parties whereas data privacy is suitably defined as the appropriate use of data. When companies and merchants use data or information that is provided or entrusted to them, the data should be used according to the agreed purposes.
  • 15.
    Disk Encryption • Diskencryption refers to encryption technology that encrypts data on a hard disk drive. • Disk encryption typically takes form in either software or hardware. • Disk encryption is often referred to as on-the-fly encryption (OTFE) or transparent encryption.
  • 16.
    Software versus hardwarebased Mechanism for protecting data. • Software-based security solutions encrypt the data to protect it from theft. • However, a malicious program or a hacker could corrupt the data in order to make it unrecoverable, making the system unusable. • Hardware-based security solutions can prevent read and write access to data and hence offer very strong protection against tampering and unauthorized access.
  • 17.
    • Operating systemsare vulnerable to malicious attacks by viruses and hackers. • The data on hard disks can be corrupted after a malicious access is obtained. Software cannot manipulate the user privilege levels. • The hardware protects the operating system image and file system privileges from being tampered. • Therefore, a completely secure system can be created using a combination of hardware-based security and secure system administration policies.
  • 18.
    Backups • Backups areused to ensure data which is lost can be recovered from another source. • It is considered essential to keep a backup of any data in most industries and the process is recommended for any files of importance to a user.
  • 19.
    Data Masking • Datamasking of structured data is the process of masking specific data within a database table or cell to ensure that data security is maintained and sensitive information is not exposed to unauthorized personnel. • This may include masking the data from users (for example - banking customer representatives can only see the last 4 digits of a customers national identity number), developers (who need real production data to test new software releases but should not be able to see sensitive financial data), outsourcing vendors, etc
  • 20.
    Data erasure • Dataerasure is a method of software based overwriting that completely destroys all electronic data residing on a hard drive or other digital media to ensure that no sensitive data is lost when an asset is retired or reused.
  • 21.
    Network Security • Networksecurity consists of the policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network- accessible resources. • Network security involves the authorization of access to data in a network, which is controlled by the network administrator. • Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority.
  • 22.
    Types of attacks Basisfor comparison Active Attack Passive Attack Basic Active attack tries to change the system resources or affect their operation. Tries to read or make use of information from the system but does not influence system resources. Modification in the information occurs does not take place Harm to the system Always causes damage to the system. Do not cause any harm. Threat to Integrity and availability Confidentiality
  • 23.
    Contd… Basis for comparison Active attackPassive attack Emphasis is on Detection Prevention Example Spoofing , phishing , xss,etc Sniffing , port scanning, etc
  • 24.
    Authentication , Authorizationand Accounting • Authentication, authorization and accounting (AAA) is a system for tracking user activities on an IP-based network and controlling their access to network resources. • AAA is often is implemented as a dedicated server. • These combined processes are considered important for effective network management and security.
  • 25.
    • Authentication – Authenticationrefers to unique identifying information from each system user, generally in the form of a username and password. System administrators monitor and add or delete authorized users from the system.
  • 26.
    • Authorization – Refersto the process of adding or denying individual user access to a computer network and its resources. – Users may be given different authorization levels that limit their access to the network and associated resources. – Authorization determination may be based on geographical location restrictions, date or time-of-day restrictions, frequency of logins or multiple logins by single individuals or entities.
  • 27.
    • Accounting – Refersto the record-keeping and tracking of user activities on a computer network. – For a given time period this may include, but is not limited to, real-time accounting of time spent accessing the network, the network services employed or accessed, capacity and trend analysis, network cost allocations, billing data, login data for user authentication and authorization, and the data or data amount accessed or transferred.
  • 28.
    Types of AAAservers include: • Access Network AAA (AN-AAA) which communicates with radio network controllers • Broker AAA (B-AAA), which manages traffic between roaming partner networks • Home AAA (H-AAA)
  • 29.
    Examples of AAAprotocols include: • Diameter, a successor to Remote Authentication Dial-In User Service (RADIUS) • Terminal Access Controller Access-Control System (TACACS) • Terminal Access Controller Access-Control System Plus (TACACS+) a proprietary Cisco Systems protocol that provides access for network servers, routers and other network computing devices.
  • 30.
    NIST FIPS 199Standard • NIST: National Institute of Standards and Technology • FIPS: Federal Information Processing Standard • The FIPS Publication Series of the NIST is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 and the Federal Information Security Management Act of 2002 .
  • 31.
    • This publicationestablishes security categories for both information1 and information systems. • The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfil its legal responsibilities, maintain its day-to-day functions, and protect individuals.
  • 32.
    • Security Objectives: FIPS defines three security objectives for information and information systems: – CONFIDENTIALITY – INTEGRITY – AVAILABILITY
  • 33.
    Assets and ThreatModels • Threat modelling is a process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view. • The purpose of threat modelling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker.
  • 34.
    • Threat modellinganswers the questions : – “Where are the high-value assets?” – “Where am I most vulnerable to attack?” – “What are the most relevant threats?” – “Is there an attack vector that might go unnoticed?” • Early IT-based threat modelling methodologies were based on the concept of architectural patterns.
  • 35.
    Threat Modelling Methodologies STRIDEMethodology – The STRIDE approach to threat modelling was introduced in 1999 at Microsoft, providing a mnemonic for developers to find 'threats to our products' . – STRIDE is a threat classification model. – It provides a mnemonic for security threats in six categories.
  • 36.
    • The threatcategories are: – Spoofing of user identity – Tampering – Repudiation – Information disclosure (privacy breach or data leak) – Denial of service (D.o.S) – Elevation of privilege
  • 37.
    • The STRIDEwas initially created as part of the process of threat modelling. • STRIDE is a model of threats, used to help reason and find threats to a system. • It is used in conjunction with a model of the target system that can be constructed in parallel. • This includes a full breakdown of processes, data stores, data flows and trust boundaries.
  • 38.
    P.A.S.T.A. • The Processfor Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology. • It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. • The intent of the method is to provide a dynamic threat identification, enumeration, and scoring process.
  • 39.
    Seven steps ofPASTA:- 1.Define Business Context of Application 2.Technology Enumeration 3.Application Decomposition 4.Threat Analysis 5.Weakness / Vulnerability Identification 6.Attack Simulation 7.Residual Risk Analysis
  • 40.
    • Once thethreat model is completed security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. • This methodology is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.
  • 41.
    Trike • The focusof the Trike methodology is using threat models as a risk-management tool. • Within this framework, threat models are used to satisfy the security auditing process. • Threat models are based on a “requirements model.” • The requirements model establishes the stakeholder-defined “acceptable” level of risk assigned to each asset class.
  • 42.
    • Analysis ofthe requirements model yields a threat model form which threats are enumerated and assigned risk values. • The completed threat model is used to construct a risk model based on asset, roles, actions, and calculated risk exposure.
  • 43.
    VAST • VAST isan acronym for Visual, Agile, and Simple Threat modelling. • The underlying principle of this methodology is the necessity of scaling the threat modelling process across the infrastructure and entire SDLC, and integrating it seamlessly into an Agile software development methodology. • The methodology seeks to provide actionable outputs for the unique needs of various stakeholders: application architects and developers, cybersecurity personnel, and senior executives. • The methodology provides a unique application and infrastructure visualization scheme such that the creation and use of threat models do not require specific security subject matter expertise.
  • 44.
  • 45.

Editor's Notes

  • #6 Confidentiality:- is the ability to hide information from those people unauthorized to view it. Integrity:- The ability to ensure that data is an accurate and unchanged representation of the original secure information. One type of security attack is to intercept some important data and make changes to it before sending it on to the intended receiver. Availability:- It is important to ensure that the information concerned is readily accessible to the authorized viewer at all times. Some types of security attack attempt to deny access to the appropriate user, either for the sake of inconveniencing them, or because there is some secondary effect. For example, by breaking the web site for a particular search engine, a rival may become more popular.
  • #16 OTFE:- It is a discontinued open source computer program for on-the-fly disk encryption (OTFE). On Microsoft Windows, and Windows Mobile (using FreeOTFE4PDA), it can create a virtual drive within a file or partition, to which anything written is automatically encrypted before being stored on a computer's hard or USB drive. It is similar in function to other disk encryption programs including TrueCrypt and Microsoft's BitLocker.
  • #24 Spoofing:- A spoofing attack is a situation in which a person or program successfully masquerades as another by falsifying data, to gain an illegitimate advantage. Phishing:- Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. XSS:- (Cross Site Scripting)- XSS is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Sniffing:- Sniffing attack or a sniffer attack, in context of network security, corresponds to theft or interception of data by capturing the network traffic using a sniffer (an application aimed at capturing network packets). Port Scanning:- A port scan attack, therefore, occurs when an attacker sends packets to your machine, varying the destination port. The attacker can use this to find out what services you are running and to get a pretty good idea of the operating system you have. Most Internet sites get a dozen or more port scans per day.
  • #34 Assets: A useful or valuable thing or person. Property assets consist of both tangible and intangible items that can be assigned a value.  Intangible assets include reputation and proprietary information.  Information may include databases, software code, critical company records, and many other intangible items. An asset is what we’re trying to protect. Threat:- Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat is what we’re trying to protect against.
  • #37 Tampering:- Intentional modification of products in a way that would make them harmful to the consumer. Tampering with evidence, a form of criminal falsification. Witness tampering, an illegal attempt to coerce witnesses called to testify in a legal proceeding. Repudiation:- Repudiation as the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions. Without adequate auditing, repudiation attacks are difficult to prove. DoS:- A denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
  • #39 Seven steps of PASTA:- 1. Define Business Context of Application:- This considers the inherent application risk profile and address other business impact considerations early in the SDLC or for given Sprint under Scrum activities. 2. Technology Enumeration:- You can’t protect what you don’t know is the philosophy behind this stage. It’s intended to decompose the technology stack that supports the application components that realize the business objectives identified from Stage 1. 3. Application Decomposition:- Focuses on understanding the data flows amongst application components and services in the application threat model.
  • #40 4. Threat Analysis:- Reviews threat assertions from data within the environment as well as industry threat intelligence that is relevant to service, data, and deployment model. 5. Weakness / Vulnerability Identification:- Identifies the vulnerabilities and weaknesses within the application design and code and correlates to see if it supports the threat assertions from the prior stage. 6. Attack Simulation:- This stage focuses on emulating attacks that could exploit identified weaknesses/vulnerabilities from the prior stage. It helps to also determine the threat viability via attack patterns. 7. Residual Risk Analysis:- This stage centers around remediating vulnerabilities or weaknesses in code or design that can facilitate threats and underlying attack patterns. It may warrant some risk acceptance by broader application owners or development managers.
  • #44 SDLC:- software development life cycle
  • #45 Operational threat modeling looks at the end-to-end data flow of the organization’s infrastructure. The first step in operational threat modeling is to identify the operational environment, including shared components – i.e. SSO servers, encryption servers, database servers, and so forth. Next, every component’s attributes may be provided to give additional context to the potential threats.
  • #46 An application threat model should focus solely on the application for which it is created. The primary purpose is to (1) identify the threats that are pertinent to that application, and (2) to indicate how developers need to address those threats. And the most effective means to accomplishing these purposes is to start with the creation of a process flow diagram (PFD).