2014-09-11 Föreläsning 12: Säkerhet i trådlösa nätverk och vid molntjänster, riskanalys. Välkommen till kursen Öppen källkod, IT-rätt och säkerhet, IG020G!

Slides:



Advertisements
Liknande presentationer
För att göra avklippta hörn på en bild använder man sig av verktyget Picture Shape. Detta verktyg hittar du under fliken Picture Tools (som du får upp.
Advertisements

SOA Governance with SOA Software For BUGS Martin Svensson.
Nyinstallerad Webinfo •I Central parameters skapa parametern Statlogger och ge value 1 Logga endast vissa sidor genom att skapa parametern i PageId.
Per-Ola Carlsson, CEO Mats Karlsson, CTO.
Forskarservice – under arbete Stefan Carlstein Högskolebiblioteket i Jönköping
Effektivt stöd för GRC med nya ISO Standarder
1.Numerical differentiation and quadrature Discrete differentiation and integration Ordinary.
Modern Data Protection
Landscaped Spaces Design for Health This slide show contains images related to health and the built environment. For more information see
Aims and outcomes Levnadsvillkor, attityder, värderingar och traditioner samt sociala, politiska och kulturella förhållanden i olika sammanhang och delar.
Möte med LISA tisdagen den 4 februari 2003 Värd: Stockholms e-handelskammare Nicklas Lundblad.
Get more efficient use of IFS Application with
Vägledningscentrum Career guidance centre
Workshop 7 mars 2013 Välkomna Dagens tema: Crowdsourcing Dagens talare 7/3/13 Behovsdriven utveckling i praktiken 1.
SWAMID WS Uppsala /18. SWAMID 2.0 Inledning, mål och syfte med SWAMIDs workshop eduID – Status, framtid och frågor eduID och AL2 LUNCH.
Motivation Terese Stenfors Motivation Vad är det? –Motivation is concerned with our movements or actions, and what determines them.
Backup strategies “in-a-nutshell” by System Center Robert Hedblom MVP System Center Cloud and Datacenter Management MEET member TechNet Moderator Consultant.
Microsoft Office SharePoint Server 2007 – del 1 Pontus Haglund Mid Market Solutions Specialist Microsoft AB.
Name Title Microsoft Sweden. Avtalspraktiska fördelar Om-installation med valfritt media Kräver inte samma fysiska media som maskinen kom med Men…
Creating an Adobe Presentation Rapidly create Flash-based presentations and eLearning courses from PowerPoint Set Preferences Add or Edit Audio Add multimedia.
The Swedish Travel Card
ISO/IEC 38500?.
Erik Stenborg Swedish adaptation of ISO TC 211 Quality principles.
För att uppdatera sidfotstexten, gå till menyn: Visa/Sidhuvud och sidfot... E-services – what’s now and what’s next for the Swedish Pensions Agency? Mikael.
Arbetsförmedlingen The Swedish Public Employment Service.
Self Service in the Enterprise Patrik Sundqvist.
TEMA SÄKERHET Höstmöte Stockholm November VARFÖR TEMA SÄKERHET OCH ARBETSMILÖ? Ingen ska skadas på jobbet! Ökade krav från myndigheter och beställare!
Transport models Are they really that important? Christian Nilsson, WSP 17 October 2014.
Tankesmedja med REK den 19 september 2014 ”Hur kan innovationsmodeller och innovationsledning bli ett stöd för utbildningsaktörer och SME?”
Swedish ports A linchpin in Swedish industry. 95% of Swedish foreign trade is transported through a port.
Bistånd och civil militär relationer Comprehensive Approach and Vision Implementation Geography Interference.
Systemutveckling i molnet - IRL Chris KlugRobert Folkesson.
FIRMA OCH VARUMÄRKESENKÄT Näringslivets syn på firma och varumärken Industry’s view of trade names and trademarks.
För att uppdatera sidfotstexten, gå till menyfliken: Infoga | Sidhuvud och sidfot Fondbolagsträff 2015.
Exempelbaserade specifikationer med SpecFlow
Samordning inom EU Statusrapport från arbetet inom EUs Expert Grupp för elektroniska fakturor Leif Karlsson Chef Betalningar.
Ingegerd Rabow, Biblioteksdirektionen, Lunds universitet ScieCom och DOAJ Nordiskt samrådsmöte Uppsala
To practise speaking English for 3-4 minutes Genom undervisningen i ämnet engelska ska eleverna ges förutsättningar att utveckla sin förmåga att: formulera.
© Gunnar Wettergren1 IV1021 Project models Gunnar Wettergren
Lab Contact 1  Lab Assistants:  Meng Liu, Group B  Sara Abbaspour, Group A
THINGS TO CONSIDER WHILE PLANNING A PARTY Planning an event can take an immense amount of time and planning. Even then, the biggest problem that arises.
STEPS TO FOLLOW FOR BECOMING A SHIP CAPTAIN A career as a ship captain can be a tedious task. Ship captains take care of business, navigation and operation.
SAFETY EQUIPMENT USED IN MARITIMEOPERATIONS One of the most important sections in maritime courses consists of boat and ship operations. Safety is an important.
Advice from Bronx Best Real Estate Attorney. Jagiani Law office of New York has been successfully working as divorce attorney & Real estate attorney for.
Digitization and Management Consulting
Why you should consider hiring a real estate attorney!
Law abiding grounds of filing a divorce Jagianilaw.com.
Types of Business Consulting Services Cornerstoneorg.com.
GDPR - General Data Protection Regulation
Bringapillow.com. Online Dating- A great way to find your love! The words ‘Love’ and ‘Relationship’ are close to every heart. Indeed, they are beautiful!
Alternativ till DiVA? Elisabeth Uhlemann,
Work of a Family law attorney Jagianilaw.com. A Family Law Attorney basically covers a wide range spectrum of issues that a family may face with difficulty.
Meeting singles had never been so easy before. The growing dating sites for singles have given a totally new approach to getting into relationships. ‘Singles.
Hoppas det här går hem ! Bildspelet vecka 3 5 BE ® BrucElvis
Formal Languages, Automata and Models of Computation
How to Buy Engagement Rings for Women Online?. Buying engagement rings for women or tiffany celebration rings from the online market could be a bit challenging.
Amazing Wedding/Bridal Jewellery & Gifts Available Online Pearlleady.com.
You Must Take Marriage Advice to Stop Divorce! Dontgetdivorced.com.
Practice and challenges in involving fathers
Season 2018.
Always keep you hands and fingers out of the Line of Fire
Packaging that makes life easier!
Integrates many areas of study (science, math, language arts) into one project.
USD 475 Parent Information for Digital Citizenship
B/c there is more to structure than <h1> and <p>
Rebuilding Financially After Domestic Violence
Office of Special Education and Early Intervention Services UPDATES
Bits in the Air Airwaves have been regulated by the government (FRC, FCC) for years First radio transmissions (wireless telegraph) were unregulated and.
Your Research Question
Presentationens avskrift:

Föreläsning 12: Säkerhet i trådlösa nätverk och vid molntjänster, riskanalys. Välkommen till kursen Öppen källkod, IT-rätt och säkerhet, IG020G! Text (ej bilder) fritt tillgängligt under Creative Commons BY-SA 3.0BY-SA

Repetition: Malware Virus Root kit Spionprogram Internetmask Annonsprogram (adware) Trojansk häst, parasitprogram Bakdörr Logikbomb Buffer overflow attack SQL injection DoS-attack Ddos-attack Spoofing (Adressförfalskning)

3 TCP/IP-modellen H – header (pakethuvud): control data added at the front end of the data unit T – trailer (svans): control data added at the back end of the data unit Trailers are usually added only at layer 2.

Tekniska skydd mot dataintrång Access control lists (ACL) Switchar (paketväxlar) Antivirusprogram Nätverksbrandvägg (proxy, paketfiltrering, NAT) Personlig brandvägg Leaktest och portskanning. Automatisk uppdatering. Webb proxy, server side cashe Kryptering och digitala signaturer baserade på certifikat från tillförlitlig Certification Authority (CA) exempelvis : Virtuella privata nätverk (VPN) Https, ftps, sftp WEP (svagt) och WPA i trådlösa nätverk

SSL(Secure sockets layer)

SSH (Secure shell) ssh [command] Log in via encrypted link to remote machine (and if provided execute “command”). RSA or DSA signature is used to protect Diffie-Hellman session-key exchange and to identify machine or user. Various authentication mechanisms, e.g. remote machine will not ask for password, if user’s private key (~/.ssh/id_rsa) fits one of the public keys listed in the home directory on the remote machine (~/.ssh/authorized_keys2). Generate key pairs with ssh-keygen.

HTTP vs HTTPS När en webbläsare begär innehåll från en webbserver görs detta via HTTP- protokollet. Exempel på begäran: – GET /path/to/ file /index.html HTTP/1.0 Exempel på svar: – HTTP/ Not found. Därefter följer HTML-kod för en felsida. HTTP överförs okrypterat över Telnet HTTPS är HTTP över TLS/SSL, dvs ”krypterad Telnet” Servern för över sitt certifikat. Klienten (webbläsaren) krypterar ett slumptal med serverns publika nyckel. Bara den som har den motsvarande privata nyckeln kan avkryptera. Slumptalet används för att kryptera kommunikationssessionen. tillhandahålles från ett företag som callas Certification authority (CA).

Grundprincipen för riskanalys Vulnerability (sårbarhet) + Threat (risk) can lead to Security failure Risk analysis => Security policy (regler och strategier)

27000-certifiering ISO/IEC serien är en samling säkerhetsstandarder utgivna av standardiseringsorganisationerna ISO och IEC. De är riktlinjer för hur risker och hot systematiskt kan kartläggas och hanteras som en organisation kan välja att utgå ifrån. Standardserien omfattar ledningens ansvar, administrativa rutiner och övergripande krav på IT-infrastruktur. Det finns möjlighet till oberoende certifiering av informationssäkerheten, i likhet med standarder för kvalitet ISO 9000 och miljö ISO ISOIECISO 9000 ISO I samlingen ingår: ISO/IEC Information Security Management System – Requirements ISO/IEC Code of Practice for Information Security Management ISO/IEC Information Security Management System implementation guidance ISO/IEC Information Security Management Measurement ISO/IEC Information Security Risk Management Se

Security Management and Engineering: “Is this product/technique/service secure?” Simple Yes/No answers are often wanted, but typically inappropriate. Security of an item depends much on the context in which it is used. Complex systems can provide a very large number of elements and interactions that are open to abuse. An effective protection can therefore only be obtained as the result of a systematic planning approach. “No need to worry, our product is 100% secure. All data is encrypted with 128-bit keys. It takes billions of years to break these.” Such statements are abundant in marketing literature. A security manager should ask: What does the mechanism achieve? Do we need confidentiality, integrity or availability of exactly this data? Who will generate the keys and how? Who will store / have access to the keys? Can we lose keys and with them data? Will it interfere with other security measures (backup, auditing, scanning,... )? Will it introduce new vulnerabilities or can it somehow be used against us? What if it breaks or is broken?...

Security policy development Step 1: Security requirements analysis → Identify assets and their value → Identify vulnerabilities, threats and risk priorities → Identify legal and contractual requirements Step 2: Work out a suitable security policy The security requirements identified can be complex and may have to be abstracted first into a high-level security policy, a set of rules that clarifies which are or are not authorised, required, and prohibited activities, states and information flows. Security policy models are techniques for the precise and even formal definition of such protection goals. They can describe both automatically enforced policies (e.g., a mandatory access control configuration in an operating system, a policy description language for a database management system, etc.) and procedures for employees (e.g., segregation of duties).

Step 3: Security policy document Once a good understanding exists of what exactly security means for an organisation and what needs to be protected or enforced, the highlevel security policy should be documented as a reference for anyone involved in implementing controls. It should clearly lay out the overall objectives, principles and the underlying threat model that are to guide the choice of mechanisms in the next step.

Step 4: Selection and implementation of controls Issues addressed in a typical low-level organisational security policy: → General (affecting everyone) and specific responsibilities for security → Names manager who “owns” the overall policy and is in charge of its con-tinued enforcement, maintenance, review, and evaluation of effectiveness → Names individual managers who “own” individual information assets and are responsible for their day-to-day security → Reporting responsibilities for security incidents, vulnerabilities, software malfunctions → Mechanisms for learning from incidents → Incentives, disciplinary process, consequences of policy violations → User training, documentation and revision of procedures

→ Personnel security (depending on sensitivity of job) Background checks, supervision, confidentiality agreement → Regulation of third-party access → Physical security Definition of security perimeters, locating facilities to minimise traffic across perimeters, alarmed fire doors, physical barriers that penetrate false floors/ceilings, entrance controls, handling of visitors and public access, visible identification, responsibility to challenge unescorted strangers, location of backup equipment at safe distance, prohibition of recording equipment, redundant power supplies, access to cabling, authorisation procedure for removal of property, clear desk/screen policy, etc. → Segregation of duties Avoid that a single person can abuse authority without detection (e.g., different people must raise purchase order and confirm delivery of goods, croupier vs. cashier in casino) → Audit trails (loggning av spår) What activities are logged, how are log files protected from manipulation

→ Separation of development and operational facilities → Protection against unauthorised and malicious software → Organising backup and rehearsing restoration → File/document access control, sensitivity labeling of documents and media → Disposal of media Zeroise, degauss, reformat, or shred and destroy storage media, paper, carbon paper, printer ribbons, etc. before discarding it. → Network and software configuration management → Line and file encryption, authentication, key and password management → Duress alarms, terminal timeouts, clock synchronisation,...