Introduction to Systems Security
|
|
- Dwight Ryan
- 6 years ago
- Views:
Transcription
1 Introduction to Systems Security CIM3571 Dr. S.F. Wu R323, x706) Continuous Assessment 50% Examination 50%
2 Security and Threat There are three aspects of computer security: Confidentiality Confidentiality is the concealment of information or resources. Integrity Integrity refers to the trustworthiness of data or resources. Availability Availability refers to the ability to use the information or resource desired. A threat is a potential violation of security. Threats can be divided into four categories: 1. Disclosure unauthorized access to information. 2. Deception acceptance of false data. 3. Disruption interruption or prevention of normal operations. 4. Usurpation unauthorized control of part of a system. Some typical threats: Snooping Masquerading Denial of Service Can you identify which category they belong? Introduction to Systems Security Slide 1
3 Policy and Mechanism Security Policy A security policy is a statement of what is, and what is not, allowed. For example, it may be determined that no access to Internet is allowed within a company, except for some particular staff members. Security Mechanism A security mechanism is a method, tool, or procedure for enforcing a security policy. For example, a firewall may be set up so that only some staff members can access the Internet. The mechanisms should provide three levels of service: 1. Prevention 2. Detection 3. Recovery How do we know that a security policy is adequate for an organization? If the security policy is too tight, it will translate to additional cost. If the security policy is too loose, there may not be enough protection. In a cost-benefit analysis, the benefits of computer security is weighted against their cost. Introduction to Systems Security Slide 2
4 Risk Management Risk the probability that a certain threat can happen. Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations missions. Risk management encompasses three processes: Risk assessment identification and evaluation of risk impacts, and recommendation of riskreducing measures. Risk mitigation prioritizing, implementing, and maintaining the appropriate risk-reducing measures recommended from the risk assessment process. Evaluation and assessment determine whether the remaining risk is at an acceptable level. Introduction to Systems Security Slide 3
5 Integrating Risk Assessment in SDLC Effective risk management must be totally integrated into SDLC. An IT system s SDLC have phases: initiation, development or acquisition, implementation, operation/maintenance, and disposal. SDLC Phases Phase Characteristics Risk Management Activities Phase 1 Initiation The need for an IT system is expressed and the purpose and scope of the IT system is documented Phase 2 Development or acquisition Phase 3 Implementation The IT system is designed, purchased, programmed, developed, or otherwise constructed The system security features should be configured, enabled, tested, and verified Identified risks are used to support the development of the system requirements, including security requirements, and a security concept of operations (strategy) The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions Introduction to Systems Security Slide 4
6 Phase 4 Operation/Maintenance Phase 5 - Disposal The system performs its functions. Typically the system is being modified on an ongoing basis through the addition of hardware and software and by changes to organizational processes, policies, and procedures This phase may involve the disposition of information, hardware, and software. Activities may include moving, archiving, discarding, or destroying information and sanitizing the hardware and software regarding risks identified must be made prior to system operation Risk management activities are performed for periodic system reauthorization (or reaccreditation) or whenever major changes are made to an IT system in its operational, production environment (e.g., new system interfaces) Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner Introduction to Systems Security Slide 5
7 Risk Assessment Methodology Introduction to Systems Security Slide 6
8 Risk Mitigation Risk mitigation is a systematic methodology used by senior management to reduce mission risk. Risk mitigation can be achieved through any of the following risk mitigation options: Risk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence(e.g., forgo certain functions of the system or shut down the system when risks are identified) Risk Limitation. To limit the risk by implementing controls that minimize the adverse impact of a threat s exercising a vulnerability (e.g., use of supporting, preventive, detective controls) Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls Research and Acknowledgment. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability Risk Transference. To transfer the risk by using other options to compensate for the loss, such as purchasing insurance. Introduction to Systems Security Slide 7
9 Risk Mitigation Methodology Introduction to Systems Security Slide 8
10 Technical Security Control Introduction to Systems Security Slide 9
11 Cost-Benefit Analysis A cost-benefit analysis for proposed new controls or enhanced controls encompasses the following: Determining the impact of implementing the new or enhanced controls Determining the impact of not implementing the new or enhanced controls Estimating the costs of the implementation. These may include, but are not limited to, the following: Hardware and software purchases Reduced operational effectiveness if system performance or functionality is reduced for increased security Cost of implementing additional policies and procedures Cost of hiring additional personnel to implement proposed policies, procedures, or services Training costs Maintenance costs Assessing the implementation costs and benefits against system and data criticality to determine the importance to the organization of implementing the new controls, given their costs and relative impact. Introduction to Systems Security Slide 10
12 What is Linux? Linux is a new operating system developed by a Norwegian programmer named Linus Torvald. Linux is free and the source code is all 'open'. That is, any one can work on the Linux operating system and then post new code to improve it. This concept is known as 'Open Source'. IBM has adopted Linux as a standard. IBM s support for Linux is evident in the following web site: Linux can be used as a desktop environment. Most of the common office applications can be found Linux, such as word processing, accounting and database. A good list of Linux applications can be found at More often, Linux is used as an Intranet/Internet server. Linux supports a wide variety of Internet protocols including FTP, HTTP, POP, SMTP, TCP/IP, NNTP. Linux is also a good development because it supports many programming languages and is as stable as rock. Introduction to Systems Security Slide 11
13 Linux Security Linux security has six components: User Account All administrative power in Linux is contained in a single account called root. As the root account, you control other user accounts, files and directories, and network resources. Discretionary Access Control (DAC) DAC refers to the control of what each user can access files and directories. You enforce such limitation through groups. Users in a group has the same access right. Network Access Control Linux provides the ability to selectively allow users and hosts to connect to each other. For example, you may allow connection to Internet for a particular user. Encryption Linux supports various encryption standards including SSL and IPsec. Logging Linux has very extensive logging capability. Logging is an important tool for checking and understanding hacker activity. Linux can provide logging for the following activities: System and kernel messages, network connection, remote request, command issued by a user. Intrusion Detection A wide selection of toolkits are available for intrusion detection and deception. Introduction to Systems Security Slide 12
14 Account Structure An account consists of the following: A valid username and password A home directory Shell access The file /etc/passwd consists of user account entries: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt Each line stores on account record and each record consists of seven fields. username Encrypted User ID Group ID Real name User home User shell password (UID) (GID) root x 0 0 root /root /bin/bash Older Linux stores an encrypted password in /etc/passwd while newer ones use password shadowing to hide the password information. Introduction to Systems Security Slide 13
15 Password Shadowing Password shadowing is a technique in which /etc/passwd remains readable but no longer contains passwords. Instead, user password are stored in /etc/shadow. root:$1$dn4lnepw$.np4lxlg5pxpzxdvnpdbc0:12675:0:99999:7::: bin:*:12675:0:99999:7::: The file /etc/shadow is similar to /etc/passwd that each line corresponds to one account. It is safer to put the encrypted passward in /etc/shadow because it can only be read by the root. -rw-r--r-- 1 root root 2401 Sep 16 10:06 passwd -r root root 1506 Sep 16 10:06 shadow The passwords in /etc/shadow is encrypted using MD5 by default. Password security in /etc/shadow is further enhanced by including password aging. Password aging is a practice which forces the user to change the password on regular basis. Shadowed password is relatively safe and hackers usually exploits bugs in various tools or applications to gain access to /etc/shadow. Introduction to Systems Security Slide 14
16 Create Account Graphical tools are available to manage the user account. Most of them time, you should not use the root account for daily operation. You should create at least one for yourself to do less critical job. Introduction to Systems Security Slide 15
17 Account Properties Introduction to Systems Security Slide 16
18 Access Control In Linux, you limit user access to files and directories by establishing permissions. Three basic permission types exist: Read (r) allows users to read the specified file. Write (w) allows users to alter the specified file. Execute (x) allows users to execute the file. The permission of a file is shown in the file listing: drwxr-xr-x 3 root root 4096 Sep 14 11:40.mozilla -rw root root 38 Sep 20 10:05.mysql_history drwxr-xr-x 3 root root 4096 Sep 14 11:27.nautilus drwx root root 4096 Sep 21 14:22.opera -rw-rw-rw- 1 root root Sep 21 06:04 opera The first character is the file type: - represents a file d represents a directory l represents a symbolic link The remaining sets of three characters describes the permission for the owner, group and world respectively. Introduction to Systems Security Slide 17
19 Changing File Permission The permission of file can be changed in the Permissions tab under file Properties. However, most of the time, it is more convenient to use the command chmod to change the permission. Typically, chmod is used as: chmod 755 myfile The owner of a file can be changed by using the chown command: chown wu myfile Programs with either SGID or SUID permissions are special because their owner s permission is enforced even when other users execute them. Therefore SGID and SUID are often a security threat. Introduction to Systems Security Slide 18
Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 04r. Pre-exam 1 Concept Review Paul Krzyzanowski Rutgers University Spring 2018 February 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Key ideas from the past four lectures February 15, 2018
More informationUser Management. René Serral-Gracià Xavier Martorell-Bofill 1. May 26, Universitat Politècnica de Catalunya (UPC)
User Management René Serral-Gracià Xavier Martorell-Bofill 1 1 Universitat Politècnica de Catalunya (UPC) May 26, 2014 Lectures 1 System administration introduction 2 Operating System installation 3 User
More informationL1: Computer Security Overview. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L1: Computer Security Overview Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 8/17/2015 CSCI 451- Fall 2015 1 Acknowledgement Many slides are or
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 13: Operating System Security Department of Computer Science and Engineering University at Buffalo 1 Review Previous topics access control authentication session
More informationINSE 6130 Operating System Security. Overview of Design Principles
INSE 6130 Operating System Security Design Principles Prof. Lingyu Wang 1 Overview of Design Principles Design principles Time-proven guidelines For implementing security mechanisms/systems Rooted in simplicity
More informationPre-Assessment Answers-1
Pre-Assessment Answers-1 0Pre-Assessment Answers Lesson 1 Pre-Assessment Questions 1. What is the name of a statistically unique number assigned to all users on a Windows 2000 system? a. A User Access
More informationINSE 6130 Operating System Security
INSE 6130 Operating System Security Design Principles Prof. Lingyu Wang 1 1 Overview of Design Principles Design principles Time-proven guidelines For implementing security mechanisms/systems Rooted in
More informationOperating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07
0Handouts: Lesson 1 Quiz 1. What is the working definition of authentication? a. The ability for a person or system to prove identity. b. Protection of data on a system or host from unauthorized access.
More informationUser Accounts. The Passwd, Group, and Shadow Files
User Accounts The Passwd, Group, and Shadow Files We'll start with the passwd (pronounced "password") file, located at /etc/passwd. This file holds information about all of the user accounts on the system.
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationExercise Sheet 2. (Classifications of Operating Systems)
Exercise Sheet 2 Exercise 1 (Classifications of Operating Systems) 1. At any given moment, only a single program can be executed. What is the technical term for this operation mode? 2. What are half multi-user
More information10 userdel: deleting a user account 9. 1 Context Tune the user environment and system environment variables [3]
1. Context 1.111.1 2 8 Deleting a group 8 1.111.1 Manage users and group accounts and related system files Weight 4 Outline Contents Linux Professional Institute Certification 102 Nick Urbanik
More informationData Security and Privacy. Unix Discretionary Access Control
Data Security and Privacy Unix Discretionary Access Control 1 Readings for This Lecture Wikipedia Filesystem Permissions Other readings UNIX File and Directory Permissions and Modes http://www.hccfl.edu/pollock/aunix1/filepermissions.htm
More informationChapter 8: Security under Linux
Chapter 8: Security under Linux 8.1 File and Password security Linux security may be divided into two major parts: a) Password security b) File security 8.1.1 Password security To connect to a Linux system
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path Race conditions NOTE: filenames may differ between OS/distributions Principals
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationThreat and Vulnerability Assessment Tool
TABLE OF CONTENTS Threat & Vulnerability Assessment Process... 3 Purpose... 4 Components of a Threat & Vulnerability Assessment... 4 Administrative Safeguards... 4 Logical Safeguards... 4 Physical Safeguards...
More informationHands-on Keyboard: Cyber Experiments for Strategists and Policy Makers
Hands-on Keyboard: Cyber Experiments for Strategists and Policy Makers Review of the Linux File System and Linux Commands 1. Introduction Becoming adept at using the Linux OS requires gaining familiarity
More informationitexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공
itexamdump 최고이자최신인 IT 인증시험덤프 http://www.itexamdump.com 일년무료업데이트서비스제공 Exam : CISA Title : Certified Information Systems Auditor Vendor : ISACA Version : DEMO Get Latest & Valid CISA Exam's Question and
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationStandard CIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-1 3. Purpose: Standard CIP-007 requires Responsible Entities to define methods, processes, and procedures for securing
More informationIntroduction to Computer Security
Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability,
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationObjectives of the Security Policy Project for the University of Cyprus
Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University
More informationUNIT 10 Ubuntu Security
AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT 10 Ubuntu Security Learning Objectives Participants will understand how to configure major components of Linux/Ubuntu Account
More informationNetwork Security Assessment
Network Security Assessment http://www.cta.com/content/docs/n et_ass.pdf 1 Introduction There are certain characteristics that the network should possess: 1. Security Policy. Networks should have an associated
More informationSECURITY PLAN DRAFT For Major Applications and General Support Systems
SECURITY PLAN For Major Applications and General Support Systems TABLE OF CONTENTS EXECUTIVE SUMMARY A. APPLICATION/SYSTEM IDENTIFICATION A.1 Application/System Category Indicate whether the application/system
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo
ISC2 Exam Questions CISSP Certified Information Systems Security Professional (CISSP) Version:Demo 1. How can a forensic specialist exclude from examination a large percentage of operating system files
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationSystem Administration
User and Group Management All processes on the system run under by a user. Users can be collected into groups which can be given common attributes Users and groups are represented by the system using unique
More informationPost-Class Quiz: Access Control Domain
1. In order to perform data classification process, what must be present? A. A data classification policy. B. A data classification standard. C. A data classification procedure. D. All of the above. 2.
More informationPND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access
The World s Premier Online Practical Network Defense course PND at a glance: Self-paced, online, flexible access 1500+ interactive slides (PDF, HTML5 and Flash) 5+ hours of video material 10 virtual labs
More informationcs642 /operating system security computer security adam everspaugh
cs642 computer security /operating system security adam everspaugh ace@cs.wisc.edu principles Principles of Secure Designs Compartmentalization / Isolation / Least privilege Defense-in-depth / Use more
More informationRED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 2. 3 June 2013
RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 2 3 June 2013 Developed by Red Hat, NSA, and DISA for the DoD Trademark Information Names, products,
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationSoftware Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group
Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group Defence Research and Development Canada Recherche et développement pour la défense Canada Canada Agenda
More informationOutline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components
UNIX security Ulf Larson (modified by Erland Jonsson/Magnus Almgren) Computer security group Dept. of Computer Science and Engineering Chalmers University of Technology, Sweden Outline UNIX security ideas
More informationRich Powell Director, CIP Compliance JEA
Rich Powell Director, CIP Compliance JEA Review access control requirements CIP-003 and CIP-007 Discuss compliance considerations Implementation Strategies Hints/Tips for audit presentation Account Control
More informationCST8207: GNU/Linux Operating Systems I Lab Seven Linux User and Group Management. Linux User and Group Management
Student Name: YOUR NAME Lab Section: 011 012 013 or 014 Linux User and Group Management 1 Due Date - Upload to Blackboard by 8:30am Monday April 2, 2012 Submit the completed lab to Blackboard following
More informationStandard: Risk Assessment Program
Standard: Risk Assessment Program Page 1 Executive Summary San Jose State University (SJSU) is highly diversified in the information that it collects and maintains on its community members. It is the university
More informationUnix, History
Operating systems Examples from Unix, VMS, Windows NT on user authentication, memory protection and file and object protection. Trusted Operating Systems, example from PitBull Unix, History Unix, History
More informationCOMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1
COMPLIANCE BRIEF: HOW VARONIS HELPS WITH OVERVIEW The Payment Card Industry Data Security Standard (PCI-DSS) 3.1 is a set of regulations that govern how firms that process credit card and other similar
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 12 Contingency Planning
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 12 Contingency Planning Learning Objectives Recognize the need for contingency planning Describe the major components of
More informationOverview of Information Security
Overview of Information Security Lecture By Dr Richard Boateng, UGBS, Ghana Email: richard@pearlrichards.org Original Slides by Elisa Bertino CERIAS and CS &ECE Departments, Pag. 1 and UGBS Outline Information
More informationFall 2006 Shell programming, part 3. touch
touch Touch is usually a program, but it can be a shell built-in such as with busybox. The touch program by default changes the access and modification times for the files listed as arguments. If the file
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationGSEC Q&As GIAC Security Essentials Certification
CertBus.com GSEC Q&As GIAC Security Essentials Certification Pass GIAC GSEC Exam with 100% Guarantee Free Download Real Questions & Answers PDF and VCE file from: 100% Passing Guarantee 100% Money Back
More informationProject #3: Implementing NIS
Project #3: Implementing NIS NIS Daemons Limitations of NIS How We Will Use NIS NIS Domain Name NIS Software Setting Up NIS on it20 /etc/nsswitch.conf Creating New Accounts on Ubuntu /etc/passwd /etc/shadow
More informationProtection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger
Protection CSE473 - Spring 2008 Professor Jaeger www.cse.psu.edu/~tjaeger/cse473-s08/ Protection Protect yourself from untrustworthy users in a common space They may try to access your resources Or modify
More informationTechnology Risk Management and Information Security A Practical Workshop
Technology Risk Management and Information Security A Practical Workshop Paul Doelger Chief Risk Officer - Technology and Business Partners BNY Mellon Email: paul.doelger@bnymellon.com Oct 1, 2010 Oct
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationInformation Security in Corporation
Information Security in Corporation System Vulnerability and Abuse Software Vulnerability Commercial software contains flaws that create security vulnerabilities. Hidden bugs (program code defects) Zero
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path TCP wrappers Race conditions NOTE: filenames may differ between OS/distributions
More informationISSP Network Security Plan
ISSP-000 - Network Security Plan 1 CONTENTS 2 INTRODUCTION (Purpose and Intent)... 1 3 SCOPE... 2 4 STANDARD PROVISIONS... 2 5 STATEMENT OF PROCEDURES... 3 5.1 Network Control... 3 5.2 DHCP Services...
More informationUnix Basics. UNIX Introduction. Lecture 14
Unix Basics Lecture 14 UNIX Introduction The UNIX operating system is made up of three parts; the kernel, the shell and the programs. The kernel of UNIX is the hub of the operating system: it allocates
More informationCSN09101 Networked Services. Module Leader: Dr Gordon Russell Lecturers: G. Russell
CSN09101 Networked Services Week 3 : Users, Permissions, Processes, and Pipes Module Leader: Dr Gordon Russell Lecturers: G. Russell This lecture Users File permissions Processes Hard and soft links USERS
More informationChapter 5: User Management. Chapter 5 User Management
Chapter 5: User Management Chapter 5 User Management Last revised: 20/6/2004 Chapter 5 Outline In this chapter we will learn Where user and group account information is stored How to manage user accounts
More informationSecurity Standards for Information Systems
Security Standards for Information Systems Area: Information Technology Services Number: IT-3610-00 Subject: Information Systems Management Issued: 8/1/2012 Applies To: University Revised: 4/1/2015 Sources:
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationOperating system security
Operating system security Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 Outline Access control models in operating systems: 1. Unix 2. Windows Acknowledgements: This
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More informationInformation Security Policy
Document title: [ Information Security Policy May 2017 ] Approval date: [ May 2017 ] Purpose of document: [ To define AUC s information security program main pillars and components] Office/department responsible:
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationUser accounts and authorization
User accounts and authorization Authentication vs authorization Authentication: proving the identity of someone Authorization: allowing a user to access certain resources 1 Government authorization documents
More informationAuthentication System
A Biologically Inspired Password Authentication System Dipankar Dasgupta and Sudip Saha Center for Information Assurance University of Memphis Memphis, TN 38152 Outline Motivation Position Authentication
More informationCompliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations
VARONIS COMPLIANCE BRIEF NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) 800-53 FOR FEDERAL INFORMATION SYSTEMS CONTENTS OVERVIEW 3 MAPPING NIST 800-53 CONTROLS TO VARONIS SOLUTIONS 4 2 OVERVIEW
More informationFRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months
FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months MODULE: INTRODUCTION TO INFORMATION SECURITY INFORMATION SECURITY ESSENTIAL TERMINOLOGIES
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationWorking with Basic Linux. Daniel Balagué
Working with Basic Linux Daniel Balagué How Linux Works? Everything in Linux is either a file or a process. A process is an executing program identified with a PID number. It runs in short or long duration
More informationCapability and System Hardening
P a g e 1 Date Assigned: mm/dd/yyyy Date Due: mm/dd/yyyy by hh:mm Educational Objectives Capability and System Hardening This lab is designed to help you gain a better understanding of system hardening
More informationInformation Security CS 526
Information Security CS 526 s Security Basics & Unix Access Control 1 Readings for This Lecture Wikipedia CPU modes System call Filesystem Permissions Other readings UNIX File and Directory Permissions
More informationStandard CIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for securing
More informationRedHat. Rh202. Redhat Certified Technician on Redhat Enterprise Linux 4 (Labs)
RedHat Rh202 Redhat Certified Technician on Redhat Enterprise Linux 4 (Labs) http://killexams.com/exam-detail/rh202 QUESTION: 156 Who ever creates the files/directories on /data group owner should be automatically
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationDepartment of Defense INSTRUCTION
Department of Defense INSTRUCTION NUMBER 8551.1 August 13, 2004 ASD(NII)/DoD CIO SUBJECT: Ports, Protocols, and Services Management (PPSM) References: (a) DoD Directive 8500.1, "Information Assurance (IA),"
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationInternal Audit Report DATA CENTER LOGICAL SECURITY
Internal Audit Report DATA CENTER LOGICAL SECURITY Report No. SC 12 06 June 2012 David Lane Principal IT Auditor Jim Dougherty Principal Auditor Approved Barry Long, Director Internal Audit & Advisory
More informationSecurity Policy Document Version 3.3. Tropos Networks
Tropos Control Element Management System Security Policy Document Version 3.3 Tropos Networks October 1 st, 2009 Copyright 2009 Tropos Networks. This document may be freely reproduced whole and intact
More informationChapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC
Chapter 8: SDLC Reviews and Audit... 2 8.1 Learning objectives... 2 8.1 Introduction... 2 8.2 Role of IS Auditor in SDLC... 2 8.2.1 IS Auditor as Team member... 2 8.2.2 Mid-project reviews... 3 8.2.3 Post
More informationKeys and Passwords. Steven M. Bellovin October 17,
Keys and Passwords Steven M. Bellovin October 17, 2010 1 Handling Long-Term Keys Where do cryptographic keys come from? How should they be handled? What are the risks? As always, there are tradeoffs Steven
More informationFigure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues
1 Managing the Security Function Chapter 11 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Top Management Support Top-Management security awareness briefing (emphasis on brief)
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationREVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009
APPENDIX 1 REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationAdvanced Security Measures for Clients and Servers
Advanced Security Measures for Clients and Servers Wayne Harris MCSE Senior Consultant Certified Security Solutions Importance of Active Directory Security Active Directory creates a more secure network
More informationemarketeer Information Security Policy
emarketeer Information Security Policy Version Date 1.1 2018-05-03 emarketeer Information Security Policy emarketeer AB hereafter called emarketeer is a leading actor within the development of SaaS-service
More informationMAKING SECURITY AWARENESS HAPPEN: APPENDICES
82-01-04 DATA SECURITY MANAGEMENT MAKING SECURITY AWARENESS HAPPEN: APPENDICES Susan Hansche, CISSP INSIDE Instructional Strategies (Training Delivery Methods); Suggested IT System Security Training Courses
More informationContingency Planning
Contingency Planning Introduction Planning for the unexpected event, when the use of technology is disrupted and business operations come close to a standstill Procedures are required that will permit
More informationSecurity of Information Technology Resources IT-12
Security of Information Technology Resources About This Policy Effective Dates: 11-28-2007 Last Updated: 10-23-2017 Responsible University Administrator: Office of the Vice President for Information Technology
More informationCS246 Spring14 Programming Paradigm Notes on Linux
1 Unix History 1965: Researchers from Bell Labs and other organizations begin work on Multics, a state-of-the-art interactive, multi-user operating system. 1969: Bell Labs researchers, losing hope for
More informationFreescale FAE75 Training Genesi Pegasos II LinuxTraining. Maurie Ommerman June 10, 2004
Freescale FAE75 Training Genesi Pegasos II LinuxTraining Maurie Ommerman June 10, 2004 FAE75 Part 3 Debian Linux Maurie Ommerman June 10, 2004 Open Firmware boot script Boot Options Upon PowerUP, this
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationDELL EMC UNITY: DR ACCESS AND TESTING. Dell EMC Unity OE 4.3
DELL EMC UNITY: DR ACCESS AND TESTING Dell EMC Unity OE 4.3 1 The information in this publication is provided as is. Dell Inc. makes no representations or warranties of any kind with respect to the information
More information