Security Architecture 1 of 2

1
Security Architecture (1 of 2)
2
Security Concerns
Privacy
Pornography
Viruses
Hacktivism
Unauthorized Access
Public Confidence
Information Theft

Denial of Service
Industrial Espionage
3
Security Expectations

• Users can perform only authorized tasks
• Users can obtain only authorized information
• Users cannot cause damage to the data,
  applications, or operating environment of a
  system

4
Motivations for Security
5
Network Security Weaknesses

• Technology weaknesses
• Configuration weaknesses
• Security policy weaknesses

6
Technology Weaknesses

• All computer and network technologies have
  inherent security weaknesses or vulnerabilities.
• Dont overlook
• Hardware issues
• OS issues
• Network protocol issues (even TCP/IP)
• Application vulnerabilities

7
Configuration Weaknesses

• Insecure default settings
• If you left the defaults, you are dead.
• Misconfigured network equipment
• A little knowledge is a dangerous thing
• Insecure user accounts/passwords
• End-users cant be trusted to use strong
  passwords
• Misconfigured Internet services
• HTTP, Java, CGI, unneeded services.

8
Security Policy Weaknesses

• Lack of a written security policy
• Internal politics
• Lack of business continuity
• Turnover in staff/management can be devastating
• Logical access controls to network equipment are
  not applied
• Security administration is lax, including
  monitoring and auditing
• Lack of awareness of having been attacked
• Software and hardware installation and changes do
  not follow the policy
• Security incident and disaster recovery
  procedures are not in place

9
Categories of Network Threats

• Unstructured
• Structured
• Internal
• External

10
Threats and Consequences
11
Database Security

• Degree to which data is fully protected from
  tampering or unauthorized acts
• Comprises
• Information system
• Information security concepts

12
Information Systems

• Comprised of components working together to
  produce and generate accurate information
• Wise decisions require
• Accurate and timely information
• Information integrity
• Categorized based on usage

13
Information Systems Components
14
Database Management

• Essential to success of information system
• DBMS functions
• Organize data
• Store and retrieve data efficiently
• Manipulate data (update and delete)
• Enforce referential integrity and consistency
• Enforce and implement data security policies and
  procedures
• Back up, recover, and restore data

15
Client Server Database systems
16
Database Management

• Data
• Hardware
• Software
• Networks
• Procedures
• Database servers

17
Information Security Architecture

• Protects data and information produced from the
  data
• Model for protecting logical and physical assets
• Is the overall design of a companys
  implementation of C.I.A. triangle

18
Information Security Architecture
19
Confidentiality

• Addresses two aspects of security
• Prevention of unauthorized access
• Information disclosure based on classification
• Classify information into levels
• Each level has its own security measures
• Usually based on degree of confidentiality
  necessary to protect information

20
Eavesdropping Packet Sniffing
21
Confidentiality Classification
22
Integrity

• Consistent and valid data, processed correctly,
  yields accurate information
• Information has integrity if
• It is accurate
• It has not been tampered with
• Read consistency
• Each user sees only his changes and those
  committed by other users

23
Degradation of Data Integrity
24
Degradation of Data Integrity
25
Availability

• Systems must be always available to authorized
  users
• Systems determines what a user can do with the
  information
• Reasons for a system to become unavailable
• External attacks and lack of system protection
• System failure with no disaster recovery strategy
• Overly stringent and obscure security policies
• Bad implementation of authentication processes

26
Fin