• No results found

no security! Dilbert

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "no security! Dilbert"

Copied!
16
0
0

Loading.... (view fulltext now)

Download now ( 16 Page )

Full text

(1)

1

Too much security can result in

no security!

Dilbert

(2)

https://xkcd.com/936/

.explainxkcd.com/wiki/index.php/936:_Passwor

d_Str

ength

eshing.com/20110811/xkcd-passwor

d-generator/

(3)

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Contents of a Security Plan

Security policy, indicating the goals of a computer security effort

and the willingness of the people involved to work to achieve those

goals

Assessment of current state, describing the status of security at

the time of the plan

Security requirements, recommending ways to meet the security

goals

Recommended controls, mapping controls to the vulnerabilities

identified in the policy and requirements

Accountability, documenting who is responsible for each security

activity

Timetable, identifying when different security functions are to be

done

Maintenance, specifying a structure for periodically updating the

(4)

Security Policy

A high-level statement of purpose and intent

Answers three essential questions:

Who should be allowed access?

To what system and organizational resources should access be

allowed?

What types of access should each user be allowed for each resource?

Should specify

The organization’s security goals (e.g., define whether reliable service

is a higher priority than preventing infiltration)

Where the responsibility for security lies (e.g., the security group or the

user)

The organization’s commitment to security (e.g., defines where the

security group fits in the corporate structure)

(5)

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Assessment of Current Security Status

A risk analysis—a systemic investigation of the system,

its environment, and what might go wrong—forms the

basis for describing the current security state

Defines the limits of responsibility for security

Which assets are to be protected

Who is responsible for protecting them

Who is excluded from responsibility

(6)

Security Requirements

Security requirements are functional or performance demands

placed on a system to ensure a desired level of security

Usually derived from organizational business needs,

sometimes including compliance with mandates imposed from

outside, such as government standards

Characteristics of good security requirements:

Correctness

Consistency

Completeness

Realism

Need

Verifiability

Traceability

(7)

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Responsibility for

Implementation

A section of the security plan will identify which people (roles) are

responsible for implementing security requirements

Common roles:

Users of personal computers or other devices may be responsible for the

security of their own machines. Alternatively, the security plan may designate

one person or group to be coordinator of personal computer security.

Project leaders may be responsible for the security of data and computations.

Managers may be responsible for seeing that the people they supervise

implement security measures.

Database administrators may be responsible for the access to and integrity of

data in their databases.

Information officers may be responsible for overseeing the creation and use

of data; these officers may also be responsible for retention and proper

disposal of data.

Personnel staff members may be responsible for security involving

employees, for example, screening potential employees for trustworthiness

and arranging security training programs.

(8)

Timetable and Plan

Maintenance

As a security plan cannot be implemented instantly, the plan

should include a timetable of how and when the elements in

it will be performed

The plan should specify the order in which controls are to be

implemented so that the most serious exposures are covered

as soon as possible

The plan must be extensible, as new equipment will be

acquired, new connectivity requested, and new threats

identified

The plan must include procedures for change and growth

(9)
(10)
(11)
(12)
(13)
(14)

What is a CVE?

One identifier for one vulnerability or exposure

One standardized description for each vulnerability or exposure

A dictionary rather than a database

How disparate databases and tools can "speak" the same language

The way to interoperability and better security coverage

A basis for evaluation among services, tools, and databases

Free for public download and use

Industry-endorsed via the CVE Numbering Authorities, CVE Board, and

numerous products and services that include CVE

(15)

Each CVE entry contains

CVE ID number (i.e.,"CVE-2017-100001").

Brief Description of the security vulnerability or exposure.

Any pertinent References (i.e., vulnerability reports and

advisories).

Example: https://cve.mitre.org/cgi-bin/cvename.cgi?

name=CVE-2018-17446

(16)

Some references

https://preshing.com/20110811/xkcd-password-generator/

https://blog.webernetz.net/password-strengthentropy-characters-vs-words/

Common Vulnerabilities and Exposures (CVE)


https://cve.mitre.org/about/

NIST National Vulnerability Database


https://nvd.nist.gov/general/nvd-dashboard

References

Download now ( PDF - 16 Page - 902.23 KB )

Related documents

Effect of pay for performance to improve quality of maternal and child care in low- and middle-income countries: a systematic review.

Patient perceived overall quality of care index is the aggregate score given by the patient for various dimensions of provider behavior and competence (e.g. how provider explores

Democratic Education Only for Some: Secondary Schooling in Northern Uganda

Before USE, the schools used to enroll maybe 150 to 180 students for S1. When you only have 3 classrooms for S1, you expect me to take 300 students… So the enrollment

Exchange market pressure and the credibility of Macau's currency Board

As a result, the CBA’s credibility is re fl ected in the narrowing of interest rate di ff erentials vis-à-vis the anchor currency, exchange rate and/or foreign reserves stability

CASE VALUES AND CASE CREDITS. Longshore and Harbor Workers Compensation Act Claims LEWIS S. FLEISHMAN, ESQ. AND MICHAEL D. MURPHY, ESQ.

We are persuaded that ITO failed to demonstrate that this award duplicates the recovery Aples (claimant) made against Ryan-Walsh. Clearly, there is a different application of the

Do self-reported stress and depressive symptoms effect endothelial function in healthy youth? The LOOK longitudinal study

In the current study, we sought to investi- gate whether stress and depressive symptoms effect early disturbances in endothelial function among the Lifestyle of our Kids (LOOK)

Spatial Profit Differential of Yam Marketing in Gombe Metropolis, Gombe State, Nigeria.

In comparison of the four (4) selected markets in the study area, the result shows that the maximum average selling price and as well as the average profit were obtained in

Examining Nontherapeutic Circumcision

original) [hereinafter M AIMONIDES , G UIDE ].. justifiable for parents to choose to vaccinate their offspring against measles, mumps, rubella, and other childhood

How to Make Aloo Tikki - Indian Appetizer Recipe Video by Show Me the Curry,Indian Recipe, Cooking Videos, Recipe Videos

Fish Cutlets recipe Aloo Tikki - Indian.. Appetizer