CSE 3482 Introduction to Computer Security. Introduction to Information/Computer Security

Similar documents
HIPAA Compliance Checklist

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Information Security

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

HIPAA Federal Security Rule H I P A A

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

DETAILED POLICY STATEMENT

Information Technology Update

Complete document security

EXHIBIT A. - HIPAA Security Assessment Template -

Principles of Information Security, Fourth Edition. Chapter 1 Introduction to Information Security

Internet of Things Toolkit for Small and Medium Businesses

The simplified guide to. HIPAA compliance

Course Description. Audience. Prerequisites. Skills Taught. Module Title. Duration. Course Outline :: CompTIA A+ Certification ::

HIPAA Compliance & Privacy What You Need to Know Now

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Putting It All Together:

Security Policies and Procedures Principles and Practices

HIPAA / HITECH Overview of Capabilities and Protected Health Information

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

CompTIA A+ Certification

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

Xerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Guide to Network Security First Edition. Chapter One Introduction to Information Security

SHS Annual Information Privacy and Security Training

Define information security Define security as process, not point product.

PCI Compliance. What is it? Who uses it? Why is it important?

Cybersecurity and Hospitals: A Board Perspective

How Managed File Transfer Addresses HIPAA Requirements for ephi

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Carbon Black PCI Compliance Mapping Checklist

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com

Vulnerability Management

Department of Public Health O F S A N F R A N C I S C O

HIPAA Security and Privacy Policies & Procedures

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

Securing Wireless Mobile Devices. Lamaris Davis. East Carolina University 11/15/2013

Cyberspace : Privacy and Security Issues

716 West Ave Austin, TX USA

Securing Devices. Controlling Access. Protecting Documents. Safeguarding All Valuable Data

Guide: HIPAA. GoToMeeting and HIPAA Compliance. Privacy, productivity and remote support. gotomeeting.com

10 Hidden IT Risks That Might Threaten Your Business

Name of Policy: Computer Use Policy

E-guide Getting your CISSP Certification

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Security and Privacy Governance Program Guidelines

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Checklist: Credit Union Information Security and Privacy Policies

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

HIPAA Regulatory Compliance

Altius IT Policy Collection Compliance and Standards Matrix

NOTE: The first appearance of terms in bold in the body of this document (except titles) are defined terms please refer to the Definitions section.

Healthcare Privacy and Security:

Implementing Your BYOD Mobility Strategy An IT Checklist and Guide

SECURING YOUR BUSINESS INFRASTRUCTURE Today s Security Challenges & What You Can Do About Them

Protecting Your Gear, Your Work & Cal Poly

Symmetric Key Services Markup Language Use Cases

COMPLETING THE PAYMENT SECURITY PUZZLE

System Structure. Steven M. Bellovin December 14,

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

PULSE TAKING THE PHYSICIAN S

Introduction to Information Security Dr. Rick Jerz

CSE 3482 Introduction to Computer Security. Security Risk Management Cost-Benefit Analysis

Securing Information Systems

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

The essential guide to creating a School Bring Your Own Device Policy. (BYOD)

Legal Considerations and Case Studies

Minimize litigation risk Discuss security best practices Review security tools and techniques Identify seven cybersecurity must-do s

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Microsoft 365 Business FAQs

CompTIA IT Fundamentals V5 (Course & Lab) Course Outline. CompTIA IT Fundamentals V5 (Course & Lab) 24 Jan

Disk Encryption Buyers Guide

mhealth SECURITY: STATS AND SOLUTIONS

McAfee Internet Security Suite Quick-Start Guide

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Symantec Small Business Solutions

Information Security Controls Policy

HELPFUL TIPS: MOBILE DEVICE SECURITY

Altius IT Policy Collection Compliance and Standards Matrix

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Information Security. How to be GDPR compliant? 08/06/2017

UTAH VALLEY UNIVERSITY Policies and Procedures

HIPAA Privacy and Security Training Program

CIT 480: Securing Computer Systems. Putting It All Together

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Nine Steps to Smart Security for Small Businesses

Discount Kaspersky PURE 3.0 internet download software for windows 8 ]

The Dropbox Problem: It s Worse than You Think

HIPAA AND SECURITY. For Healthcare Organizations

Transcription:

CSE 3482 Introduction to Computer Security Introduction to Information/Computer Security Instructor: N. Vlajic, Winter 2017

Learning Objectives Upon completion of this material, you should be able to: Describe the key security requirements of confidentiality, integrity and availability (CIA). Describe the CNSS security model (McCumber Cube). Identify today s most common threats and attacks against information. Distinguish between different main categories of malware.

Required Reading Computer Security, Stallings: Chapter 1 Computer Security, Stallings: Chapter 6

Introduction Computer general purpose device that can be programmed to carry out a set of arithmetic or logical operations automatically examples: desktops laptops, tablets mobile phones printers servers, routers gaming consoles industrial controllers alternative definition: electronic device for storing and processing of data/information

Introduction (cont.) Data vs. Information 01000111 11101100 10100001 00111010 01011101 00001101 account balance: $238,000.00 In many organizations, information/data is seen as the most valuable asset!!!

Introduction (cont.) http://www.slideshare.net/mrcox/btec-national-in-ict-unit-3-data-vsinformation

Introduction (cont.) Information Technology technology involving development & use of computer systems & networks for the purpose of processing & distribution of data/information categories of IT jobs: IT engineer - develops new or upgrades existing IT equipment (software or hardware) IT administrator - installs, maintains, repairs IT equip./system IT architect - draws up plans for IT systems and how they will be implemented IT manager - oversees other IT employees, has authority to buy technology and plan budgets IT security specialist - creates and executes security applications to maintain system security and safety

Introduction (cont.) Information System entire set of data, software, hardware, networks, people, procedures and policies that deal with processing & distribution of information in an organization each component has its own strengths, weaknesses, and its own security requirements information is - stored on computer hardware, - manipulated by software, - transmitted by communication, - used by people - controlled by policies

Introduction (cont.) Security = state of being secure, free from danger. Information Security practice of defending digital information from unauthorized access use recording disruption modification destruction, C.I.A.

Introduction (cont.) Computer Security vs. Information Security terms are often used interchangeably, but computer security (aka IT security) is mostly concerned with information in digital form information security is concerned with information in any form it may take: electronic, print, etc. Information Security Computer (IT) Security

Introduction (cont.) https://www.cisco-eagle.com/blog/2008/01/30/data-center-security-ismuch-more-than-digital/ http://www.csoonline.com/article/2112402/physical-security/physicalsecurity-19-ways-to-build-physical-security-into-a-data-center.html?page=3

Introduction (cont.) Environmental and life safety controls

Introduction (cont.) Who is responsible for security of information? In the last 20 years, technology has permeated every facet of the business environment. The business place is no longer static it moves whenever employees travel from office to office, from office to home, from city to city. Since business have become more fluid,, information security is no longer the sole responsibility of a small dedicated group of professionals,, it is now the responsibility of every employee. http://www.businessandleadership.com/fs/img/news/200811/378x/business-traveller.jpg http://www.koolringtones.co.uk/wp-content/uploads/2010/01/mobile-phones.jpg

Introduction (cont.) BYOD the good and the bad http://lawinquebec.com/wp-content/uploads/2013/06/byod.jpg

Introduction (cont.) Example: Gawker (2010) - importance of good passwords http://www.forbes.com/sites/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/

C.I.A. of Information Security C.I.A. Triangle 3 key characteristics of information that must be protected by information security: confidentiality - only authorized parties can view private information integrity - information is changed only in a specified and authorized manner (by authorized users) availability - information is accessible to authorized users whenever needed

C.I.A. of Information Security (cont.) Example: DATA CONFIDENTIALITY Student grade an information asset of high importance for student. In US, release of such information is regulated by Family Educational Rights and Privacy Act (FERPA). Grade information should only be available to students, their parents and employees that require this information to do their job. In Canada, the same issue is regulated by Personal Information Protection and Electronic Documents Act (PIPEDA).

C.I.A. of Information Security (cont.) Example: How to ensure data confidentiality? cryptography strong access control limiting number of places where data can appear (e.g., cannot be stored on an USB)

C.I.A. of Information Security (cont.) Example: DATA INTEGRITY Patient information in a hospital the doctor should be able to trust that the information is correct and current. Inaccurate info could result in serious harm to the patient end expose the hospital to massive liability. In US, Health Insurance Portability and Accountability Act (HIPAA) regulates the collection, storage, and transmission of sensitive personal health care information. Hospital is responsible for safeguarding patient information against error, loss, defacing, tampering and unauthorized use. (Ontario s Personal Health Information Protection Act - PHIPA)

documenting system activity - who did what and when) - detects attacks on data integrity C.I.A. of Information Security (cont.) Example: How to ensure data integrity? strong access control - prevents attacks on data integrity cryptography (hashing) - detects attacks on data integrity

C.I.A. of Information Security (cont.) Example: DATA AVAILABILITY Accessible and properly functioning web site a key asset for an e-commerce company. E.g., a DDoS attack could make the site unavailable and cause significant loss in revenue and reputation. In US, Computer Fraud and Abuse Act (CFAA) applies to DoS-related attacks. In Canada, DoS activities are regulated under Criminal Code of Canada, Section 342: Unauthorized Use of Computer

C.I.A. of Information Security (cont.) Example: How to ensure data availability? anti-ddos system (in case of attack that attempt to prevent access by blocking the bandwidth/server): e.g., content distribution networks, scrubbing centers well established backup procedure (in case of attacks that attempt to prevent access by destroying data)

C.I.A. of Information Security (cont.) Example: CIA of different IT components Table 1.3 Computer and Network Assets, with Examples of Threats.

C.I.A. of Information Security (cont.) Extended C.I.A. Triangle some security experts feel that additional concept need to be added to the CIA triad: authentication - being able to verify that users are who they claim to be, and that each data input has come from a trusted source accountability - being able to trace actions of an entity uniquely to that entity Confident. Availability Integrity

Where/how do we start building or evaluating a security system? We know that we want to protect the CIA of data. But, 1) Data can reside in several different states. 2) There are several different approaches of how data can be protected.

CNSS Security Model CNSS = Committee on National Security Systems McCumber Cube Rubik s cube-like detailed model for establishment & evaluation of info. security to develop a secure system, one must consider not only key security goals (CIA) but also how these goals relate to various states in which information resides and full range of available security measures

CNSS Security Model (cont.) Information States Storage - aka data at rest, such as data stored in memory or on a disk Transmission - aka data in transit - data being transferred between systems, in physical or electronic form Processing - aka data in use - data being actively examined or modified

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback