Workshop 2 Tutor: William Yeoh gingsun.yeoh@UniSA.edu.au School of Computer and Information Science Secure and High Integrity System (INFT 3002)
Post on 29-Jan-2016
216 Views
Preview:
Transcript
Workshop 2
Tutor: William Yeoh gingsun.yeoh@UniSA.edu.au
School of Computer and Information Science
Secure and High Integrity System (INFT 3002)
Group project details
Form a group of 3 by Wednesday (18 Sept) Report due on 7 November, 5pm (Friday) You must pass this assessment to pass the course 3000-5000 words You may decide the company’s name, location
(not necessary Australia), etc.
Task: Your group is a small newly formed IT Security Consultancy and recently have been employed on your first case
Abraham is a health administrator (MD) but he has no modern technical understanding of IT security issues.
Abraham has had no problems with IT Security until very recently when the Hospital’s network was subject to a series of attacks. In the period of 3 days, the Hospital’s website was defaced, a serious virus infected the Hospital’s e-mail and large quantities of data were corrupted
Abraham wonders why this is happening and he questions whether there is a link to his company’s partnership with a large Health Insurance Company. He is also concerned to find out who might be attacking his network and why.
He is very anxious to grow his business and knows that he needs quickly to implement some security measures so as to pass an external audit (he has had nothing more than some proprietary and outdated anti-virus software until now).
Organisation Structure
W a rren C h anE xe cu tive a ss is ta n t
Ju n io r S ys A d m in
S e n io r S ys A d m in
D o u g las B ro w nC h ie f In fo rm a tio n O ff ice r
M e d ica l a nd N urs in g s ta ff
C h ie f N u rs in g O ff ice r
L u ig i R o ssiC h ie f M e d ica l O ff ice r
F in a nce o ff ice r
F in an ce m a na g er
A d m in o ff ice r
H R M an a g er
M u b a rakC h ie f A d m in O ff ice r
A b rah am W o ngM D
The issues Abraham is asking for advice on are:
3. Does he need to implement some cryptographic protection of data? How?
1. What risks do you think he is facing as he gears up his business and how can he manage these risks?
2. How can he develop a suitable security policy (given the company structure above)? Supply a security policy as Appendix 1 (you may use all the resources in the Resources for Module 2 and adapt these as necessary)
4. What is a “trusted” system, why might he need one anyway, and can he implement this within her Windows NT network?
The issues Abraham is asking for advice on are:
5. How can he protect his network? Currently it is a simple LAN, some databases, a mail server and a web server but he wants to add some E-Commerce functionality very soon. What will happen when his staff use wireless enabled PDA’s for the collection of patient data?
6. Why might hackers be attacking his network; why would they be interested in his company?
7. Is there any legislation to help him if his network is hacked into again?
8. What kind of legal or ethical issues will he herself face if the data in his databases or files is lost or damaged?
Today’s task3. Does he need to implement some cryptographic
protection of data? How?
4. What is a “trusted” system, why might he need one anyway, and can he implement this within his Windows NT network?
Hints for:3. Does he need to implement some cryptographic protection of data? How?
This section evaluates the need of implementing data cryptography
Considers what cryptography technology to be adopted
How to implement them in this situation
Hints for:3. Does he need to implement some cryptographic protection of data? How?
Does he need to implement some cryptographic protection of data?
• The hospital stores sensitive information eg. Patient’s medical record, financial situation, personal details, payment history, credit card info, password, etc.
• By consolidating the business status with the current trends of attacks, what is the risk evaluation?
• ‘Is the risk of occurrence higher than the cost of implementing cryptographic protection?’
Hints for:3. Does he need to implement some cryptographic protection of data? How?
Some rationale to implement: Storing large amount of sensitive info of different
nature in the IT system
Current security level of network design & data management, security policy, staff awareness, etc
Storage of backup media does not guarantee high security level to avoid data leakage
Hints for:3. Does he need to implement some cryptographic protection of data? How?
Connection to Internet using Dialup modem is insecure enough
The rapid introduction of virus, trojan & malicious code produce high risk
The website was defaced recently – shows security problem
Considers what cryptography technology to be adopted
How to implement them in this situation?
Suggest a commercial product (eg. DES, Blowfish, RSA, Hybrid cryptosystem, etc)
Internal or outsourcing
Staff perspective
Customers perspective
Steps, etc
Hints:4. What is a “trusted” system, why might he need one anyway, and can he implement this within her Windows NT network?
What is a “trusted” system
Why might he need one anyway
Can he implement this within her Windows NT network?
Why might he need one anyway?
User identification and authentication- to control the access rights.
Mandatory & discretionary access control- to control the usage of objects
Object reuse protection – to avoid malicious user claim a large amount of disk space & scavenge for sensitive data
Complete mediation – checking all access including memory, outside ports & network
What is a “trusted” system?
Trusted OS provides the basic security mechanism that allow a system to protect, distinguish & separate data.
It began to receive NSA evaluation in 1984
Lower the security risk of implementing a system that processes classified data
It implements security policies & accountability mechanism in an OS package
Why might he need one anyway?
Audit –maintain a log of security-relevant events
Audit log reduction- Allow logging of info in a reduced data size for consultation
Trusted path – facilitate unmistakable communication in critical operations
Intrusion detection- Intrusion of the system are detected
Can he implement this within his Windows NT network?
Windows NT network acquires trusted OS features as: User identification and authentication can be set for all
users & administrators
Mandatory & discretionary access control are configurable for objects eg. Files & folders
Object reuse protection as usable volume of disk for all users can be strictly controlled by Windows NT.
Complete mediation, Windows NT can check system resources including memory, port status & network connections
Audit log is maintained by Windows NT Server. Log details can be checked by administrator easily
Intrusion detection, Windows NT has no intrusion detection system, however this feature can be tackled by commercial firewall products.
Windows NT network acquires trusted OS features as:
Configuring Windows NT network to implement Trusted OS:
Updating Windows NT servers by patches and use latest NT version
Enforces Windows NT Server password policy and establish consistent audit
Limits usable server volume for users to enhance object reuse protection
Avoids granting unnecessary privileges to users
Avoids running unnecessary services in servers
Maintain audit trial records & perform checks on these records
Install IDS in the network
Configuring Windows NT network to implement Trusted OS:
Q &A
Group Discussion
s
top related