Security Concept - Chapter 6
Security Concept - Chapter 6
Security Concept - Chapter 6
1
Outline
Security concept
1. Introduction
2. Risk management
i. risk response
ii. Exploits
iii. Security controls
iv. Attack vectors
3. Security patterns
i. Identity and access mgt.
ii. Segregation of duties and least privilege
iii. Layered security
iv. cryptography
2
Security (Availability, confidentiality,
integrity)
3
Reason for Crimes
4
Risk management
5
definition
6
Risk list
1. Asset name
2. Vulnerability
3. Exploit
4. Probability
5. Impact
6. Risk
7
Risk list
8
Risk response
Decided by senior mgt.
1. Acceptance
2. Avoidance
3. Transfer
4. Mitigation (steps to mitigate)
a) Design for minimum risk
b) Incorporate safety devices
c) Provide warning devices
d) Implement training and procedures
9
Exploits
Key logger installation.
Use of network sniffers
Backup data
Disposed of PCs and disks
Corrupt staff can copy the information
Phishing
10
Security Controls
Confidentiality
Integrity
Availability
11
Attack vector
12
1. Malicious code
These are the application that can cause:
1. network and server overload
2. steal data and passwords
3. Erase data
Forms
4. Viruses
5. Trojan horses
6. worms
13
DoS Attack
This is an attempt to overload an infrastructure to cause downtime of a
system.
14
Prevention of DDoS
1. Split business and public resources
2. Use external cloud provider
3. Setup automatic scalability
4. Limit bandwidth for certain traffic
5. Lower the TTL
6. Monitor traffic volume & source and number of request.
15
Prevention of DDoS
Some other actions
1. Immediately inform your internet provider and ask for help.
2. Run connection termination script
3. Change the server
4. Reroute or drop suspected traffic
16
Attack vector
1. Social engineering
2. Phishing
3. Baiting
17
Security Patterns
18
1. Identity and access management
Its a process of managing the identity of people and systems, and their
permissions.
Steps:
1. Identification
2. Authentication
3. Authorization
19
1. Segregation of duties and least privilege
2. Layered security
3. Cryptography
1. Symmetric key encryption
2. Asymmetric key encryption
3. Hash function and digital signature
4. Cryptographic attacks
20