I choose: Find and share a resource to support teaching students in secondary years about security in apps
Information System Security
- Data and Information
- Information System
- Confidentiality Information system security requirements
- The goal of security
Data are values of quantitative information or attach properties of things and phenomena in life. In In computing, data is used as a form of representation of information about events and phenomena adapting to Requests are transmitted, expressed, and processed by the computer.Information is data that has been processed, analyzed, organization for the purpose of better understanding things, events, image from a certain angle.Information system is a system includes people, data and data processing activities, and information within an organization.
Information system security is the protection of information systems against unauthorized access access, use, modify, destroy, disclose and disrupt information and system operation in an unauthorized manner.
Information system security requirements:
Confidentiality: protect data from being exposed out illegally.
Example: In the banking system, a customer is allowed I can’t see my account balance information permission to view information of other customers.
Integrity: Only authorized users new permission is allowed to edit data.
Example: In the banking system, do not allow customers change the balance information of your own account.
Availability: Ensure data is always available when authorized users or applications request bridge.
Example: In the banking system, it is necessary to ensure that customers Customers can query account balance information at any time as specified.
Resistant to Rejection: The ability to prevent prevent the denial of a done action.
Example: In the banking system, it is possible to provide evidence to prove a customer’s behavior, such as withdrawing money, money transfer
The goal of security:
Denial of service attack
An attack that prevents other users from access the system
Make the system overloaded and inoperable
DoS: attack “one-to-one”
DDoS(distributed denial of service)
Used Zombie host
Social engineering uses influence and persuasion to deceive users to exploit beneficial information for the attack or convince the victim to perform a some action.
An attacker can take advantage of the following human characteristics to attack:
Desire to be useful
Fear of getting into trouble
Simple to the point of sloppiness
There are 2 types of Social Engineering
Social engineering is based on people related to human-to-human interaction to gain information wish news.
Computer-based social engineering: concerned with the use of Use software to attempt to gather the necessary information
Social engineering is based on people
Pretend to be someone who needs help
Pretending to be important people
Pretend to be an authorized person
Pretend to be a technical support staff
Computer-based social engineering
Phising: email scamVishing: phone scam
Attached file in email
System security requires a clear security policy clear.
Separate privacy policies are required for requests different security
Build and select security policies for the system must follow the privacy policies of reputable organizations about security (compliance)
NIST, SP800, ISO17799, HIPAA
Select a security mechanism
Identify the right security mechanism to implement the policies security policy and achieve security objectives
There are four security mechanisms:
Access control: is the control mechanism, manage access to the database system
Mechanism for building access control rule sets: how method to consider an access is allowed or denied
Discretionary Access Control
Mandatory Access Control
Inference control: is management, control access to statistical databases because from the statistical data can inferring sensitive information.Information flow control: to prevent information flow from the protected data object to the less protected data object.Covert Channels: are channels that through which information flows can be implicitly transmitted to the outside illegallyEncryption: are computational algorithms aimed at convert original documents to text format readable, into ciphertext, in unreadable text.
Only the user with the correct key can decrypt it ciphertext to original plaintext.
Data encryption is used to protect sensitive data cold.