I choose: Find and share a resource to support teaching students in secondary years about security in apps

Information System Security

Basic Concepts:

1. Data and Information
2. Information System
3. Confidentiality Information system security requirements
4. The goal of security

Data are values ​​of quantitative information or attach properties of things and phenomena in life. In In computing, data is used as a form of representation of information about events and phenomena adapting to Requests are transmitted, expressed, and processed by the computer.Information is data that has been processed, analyzed, organization for the purpose of better understanding things, events, image from a certain angle.Information system is a system includes people, data and data processing activities, and information within an organization.

Information system security is the protection of information systems against unauthorized access access, use, modify, destroy, disclose and disrupt information and system operation in an unauthorized manner.

Information system security requirements:

Confidentiality: protect data from being exposed out illegally.

Example: In the banking system, a customer is allowed I can’t see my account balance information permission to view information of other customers.

Integrity: Only authorized users new permission is allowed to edit data.

Example: In the banking system, do not allow customers change the balance information of your own account.

Availability: Ensure data is always available when authorized users or applications request bridge.

Example: In the banking system, it is necessary to ensure that customers Customers can query account balance information at any time as specified.

Resistant to Rejection: The ability to prevent prevent the denial of a done action.

Example: In the banking system, it is possible to provide evidence to prove a customer’s behavior, such as withdrawing money, money transfer

The goal of security:

Prevent attackers from breaching the main privacy book.Detect security policy violations.Rehibilitate :Block ongoing violations, Review and fix bugs; Continue to operate normally even if attack happened.Basic steps in information security Identify threats: What can harm the system?Select Privacy Policy: What to expect from a security system?Select security mechanism: How can the security system achieve its goals proposed security?Identify hazards Security threats are events that affect the security of information systems.Threats fall into four categories:1.     Illegally viewing information2.      Illegally editing information3.     Denial of service4.     Denial of behaviorCommon threatsUser errors and omissionsFraud and information theftDangerous attackerDanger CodesDenial of service attackSocial EngineeringUser errors and omissionsThe threat of information systems comes from errors security, manipulation errors of users in the systemIs the leading threat to an information systemSolution:Train users to perform the correct operations, restrictions errorsPrinciple: minimal rightsRegularly back-up the systemFraud and information theftThis threat posed by attackers from within the system, including fake users or malicious users.Those who attack from the inside are always very dangerous.Solution: Define good privacy policies: have definite evidence be attacked from withinDangerous attackerDangerous attackers infiltrate the system to search information, data destruction, system destruction.5 steps to attack a system:ProbeScan for vulnerabilities to attackTrying to get accessStay ConnectedErase tracesDanger codeMalicious code is an undesired piece of code embedded in a program to perform access unauthorized access to the computer system to collect information sensitive, disrupts operation or harms the system computer systemIncludes: viruses, worms, trojan horses, spyware, adware, backdoors,

Denial of service attack

An attack that prevents other users from access the system

Make the system overloaded and inoperable

DoS: attack “one-to-one”

DDoS(distributed denial of service)

Used Zombie host

Attack “many-to-one”

Social Engineering

Social engineering uses influence and persuasion to deceive users to exploit beneficial information for the attack or convince the victim to perform a some action.

An attacker can take advantage of the following human characteristics to attack:

Desire to be useful

Trust people

Fear of getting into trouble

Simple to the point of sloppiness

There are 2 types of Social Engineering

Social engineering is based on people related to human-to-human interaction to gain information wish news.

Computer-based social engineering: concerned with the use of Use software to attempt to gather the necessary information

Social engineering is based on people

Agent spy/spoof

Pretend to be someone who needs help

Pretending to be important people

Pretend to be an authorized person

Pretend to be a technical support staff

Computer-based social engineering

Phising: email scamVishing: phone scam

Pop-up Windows

Attached file in email

Fake websites

Fake software

Select privacy policy

System security requires a clear security policy clear.

Separate privacy policies are required for requests different security

Build and select security policies for the system must follow the privacy policies of reputable organizations about security (compliance)

NIST, SP800, ISO17799, HIPAA

Select a security mechanism

Identify the right security mechanism to implement the policies security policy and achieve security objectives

There are four security mechanisms:

Access control

Inference control

Flow control

Encryption

Access control: is the control mechanism, manage access to the database system

Mechanism for building access control rule sets: how method to consider an access is allowed or denied

Discretionary Access Control

Mandatory Access Control

Inference control: is management, control access to statistical databases because from the statistical data can inferring sensitive information.Information flow control: to prevent information flow from the protected data object to the less protected data object.Covert Channels: are channels that through which information flows can be implicitly transmitted to the outside illegallyEncryption: are computational algorithms aimed at convert original documents to text format readable, into ciphertext, in unreadable text.

Only the user with the correct key can decrypt it ciphertext to original plaintext.

Data encryption is used to protect sensitive data cold.