Transcript Security Strategy

Security Strategy
HIGHER INFORMATION SYSTEMS
Security Strategy
You will need to be able to explain:




Data Security
Data Integrity and
Data Privacy
Risks


Hacking
Denial of Service DOS
 Policies & Procedures
 Password Guidelines
 Virus Protection



Prevention
Detection
Repair
 Firewall
 Encryption
 Access Rights
Security Strategy
Data Security
Physical Loss – fire or flood
Electronic problems – faulty hardware or
magnetic influences.
Theft – by a competitor.
Malicious access, deletion or virus attack.
Security Strategy
Data Integrity
Is the data correct?
When it is entered double entry can be used.
Call centres ask customer to spell names and
details are read back.
Transmission errors can cause data errors.
Viruses, hardware breakdown, viruses or
computer crime can cause problems.
Security Strategy
Data Privacy
This is personal or sensitive data.
Is the data safe from unauthorised people?
In school we have passwords and user logons so
that no one else can access your files.
People within school have different levels of
access, this means data can be kept more secure.
E.g. Guidance have access to personal information
but teachers do not.
Security Strategy
Summary
The network manager keeps the data secure. (Fire,
flood, electronic outages).
Integrity is how correct data is when it is first entered.
Privacy is not letting other users into your personal or
sensitive data.
Security Strategy
The Risks
Virus – malicious code.
Designed to spread to other computers automatically.
Transmitted via an e-mail attachment, downloaded or
something else.
Can lie dormant for some time and can be very
harmful.
Security Strategy
The Risks
Hacking – Breaking into a computer system from
outside the network.
Breaking in is an offence but not a bad as maliciously
altering or stealing information.
Security Strategy
The Risks
Denial of Service Attack (DOS Attack)– Flooding a
server with surprisingly large amounts of requests for
information. The server is overloaded and it ends up
crashing.
Security Strategy
Policies and Procedures
Code of Conduct – set of rules that
users must follow. Employees have to
sign a code of conduct. Usually
common sense and for the
employee's protection to stop them
breaking the law.
The British Computer Society has a
Code of Ethics which includes
professional conduct, professional
integrity, public interest, fidelity
(trustworthiness), technical
competence.
Security Strategy
Password Guidelines
A strong password is one that no one else can guess
and would be made up entirely of random numbers and
letters (lowercase and uppercase).
Users tend to choose poor passwords. The rules are:
• Minimum of 8 characters
• Letters and numbers and symbols
• No words
• Not the same as a previous password
• Cannot be easily guessed
http://www.passwordmeter.com/
Security Strategy
Virus protection
Computer systems are susceptible to viruses and must
be protected by:
Not allowing floppy disks.
Not open suspicious emails and use filtering software
to intercept the virus.
Install anti-virus software that can Prevent,
detect, or repair the infected file.
Stops key loggers.
Security Strategy
Firewall
A firewall was originally constructed to
stop fire spreading throughout a house.
It could be constructed between the
house and the garage.
Note: it is anti-virus
software that stops
viruses!
This metaphor has been borrowed by the computing
industry to name the software/hardware that acts as a
barrier between computers on a network. Without it
intruders could destroy, tamper with or gain access the files
on your computer.
Extra notes: http://www.vicomsoft.com/knowledge/reference/firewalls1.html#2
Security Strategy
Firewall
A firewall can be hardware or software
that has filters to constantly monitor
for unauthorised access to an network.
It is placed between a file server and
the internet connection.
It also:
Checks and filters external messages
Blocks access to certain workstations/servers from an
external computer.
Only grants access to authorised users.
Security Strategy
Encryption
Encryption techniques are used to
pass sensitive data across the internet.
The most obvious place you will see
this is if you use your credit card to buy
goods on the internet.
If the packets of data are intercepted they cannot be read
because they have been scrambled using 32 bit or 64 bit
encryption.
The message can only be read by the person receiving it,
who holds the correct key to decipher it.
Security Strategy
Encryption
In an exam you may be asked to
explain how encryption works. This is
public and private key encryption.
1. Bob encrypts the message with Alice’s Public Key.
2. The encrypted message is sent and cannot be read by
unauthorised users.
3. Alice decrypts the message with her private key, no one else
knows what this key is.
Security Strategy
Access Rights
Access rights are:
Read
Write
Create
Erase
Modify
These right can be granted or revoked by the owner of the files or
by the administrator. If a file is read only you cannot write, erase
or modify it in any way.
You would normally give these access rights in groupings e.g.
read, write, create, modify.
Security Strategy
Access Rights
Access rights can specifically set for the
following:
•Whether you have administrator rights
•The amount of disk space allocated
•Printers (printer credits)
•E-mail
•Internet
•Folders
•Applications
Security Strategy
You have learned about:
•Data Security
•Data Integrity and
•Data Privacy
•Risks
Hacking
Denial of Service DOS
•Policies & Procedures
•Password Guidelines
•Virus Protection
Prevention
Detection
Repair
•Firewall
•Encryption
•Access Rights
Question
2008 Q17
Lachlan is preparing for an interview for the job of network security
manager at First Place Ltd. The company has 4 warehouses supplying
40 branches throughout the country. As stock control system is used to
manage daily supplies to each branch. As part of the interview he will
be asked about a security strategy for the company’s organisational
information system.
(a) State five areas concerning security strategies that Lachlan should be
prepared to discuss in his interview.
(5)
Question
2009 Section 2
Q17. Setting up a username and password is one task involved in the creation of a
network account.
State three other settings associated with a network account.
3
2011
Q18
A company holds confidential personal data about its customers
(a) Explain the difference between security and privacy as applied to data held in a
computerised information system
2
(b)
(i) Evaluate the suitability of these passwords:
scotland
tom100695
Hs%2
3
(ii) Apart from passwords, describe two data security measures that
should be introduced as part of the security strategy.
4