9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Module 8 Administering Security
-
Upload
charmaine-efrain -
Category
Documents
-
view
51 -
download
0
description
Transcript of Module 8 Administering Security
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 1
Module 8Module 8 Administering Security
MModified by :Ahmad Al GhoulPPhiladelphia UniversityFFaculty Of Administrative & Financial SciencesBBusiness Networking & System Management DepartmentRRoom Number 32406EE-mail Address: [email protected]
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 2
Contents Personal Computer Security Management Contributors to Security Problems Security Measures Protection of Files Access Control Mechanisms for PCs Risk Analysis THEORETICAL FRAMEWORK Reacting to Threats CULTURE AND RISK STAKEHOLDER MODEL RISK COMMUNICATION TRUST AND CONFIDENCE VS CREDIBILITY INSTITUTIONAL CREDIBILITY Risk Perception, Trust and Credibility
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 3
Personal Computer Security Management
Security problems for personal computers are more serious than on mainframe computers– people issues
– hardware and software issues
lack of sensitivity– users do not appreciate security risks associated with
the use of PCs
lack of tools– hw and sw tools are fewer and less sophisticated than in
the mainframe environment
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 4
Contributors to Security Problems
Hardware vulnerabilities– limited protection of one memory space – every user can execute every instruction– can read and write every memory location– the operating system may declare certain files
as “system” files, but it can not prevent the user from accessing them
– operating system designers have failed to take advantage of hardware protection
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 5
Contributors to Security Problems
Low awareness of the problem– analogous to a calculator
no unique responsibility– if the machine is shared, nobody takes full responsibility
for maintenance, supervision and control few hw controls
– few PCs take advantage of hw features no audit trail environmental attacks physical access
– unattended machines care of media components
– diskettes, etc.
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 6
Contributors to Security Problems
No backups questionable documentation high portability combination of duties
– lack of checks and balances
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 7
Security Measures
Procedures: Do not leave PCs unattended in an exposed
environment if they contain sensitive info do not leave printers unattended if they are
printing sensitive output secure media as carefully as you would a
confidential report perform periodic back-ups practice separation of authority
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 8
Security Measures
Hardware Controls: Secure the equipment consider using add-on security boardsSoftware Controls: use all sw with full understanding of its potential
threats do not use sw from dubious resources be suspicious of all results maintain periodic complete backups of all system
resources
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 9
Protection of Files
Access control features encryption copy protection no protection
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 10
Access Control Mechanisms for PCs
Motivations for access control: Outside interference two users one machine network access errors untrusted software separation of applications
25060
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 11
Features of PC Access Control Systems
Transparent encryption– some systems automatically encrypt files so
that their contents will not be evident time of day checking
– allowing access during certain times automatic timeout
– the system automatically terminates the session machine identification
– unique serial no can be read by the application
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 12
Risk Analysis
RISK Possibility of suffering harm or loss, a
factor, course or element involving uncertain danger
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 13
THEORETICAL FRAMEWORK
Important parameter in designing security systems is the COST
RISK ASSESSMENT
Risk perception– psychological theory of risk: how the general
public reacts to uncertainities of danger, and how this general reaction affects individual behaviour.
– cultural theory of risk: Risk perception differs depending on the social group & belief system an individual belongs to (Douglas 1970)
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 14
Reacting to Threats
RISK PERCEPTION
THREAT
RESPONSE
Passive Reaction
communication
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 15
Reacting to Threats
RISK PERCEPTION
Organisation Structure
RISKMANAGEMENT
Externaldanger
Shared Meaning and Trust
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 16
CULTURE AND RISK
Risk behaviour is a function of how human beings, individually and in groups, perceive their place in the world.
It is important to understand the role of culture in stakeholder interaction in order to understand cultural biases in risk perception.
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 17
STAKEHOLDER MODEL
Stakeholders– Users: information user
– Suppliers: information provider and systems developer
– Others: systems manager
Each stakeholder group has a differing perceptions of same risk.
Stakeholders can be grouped within themselves depending on the social groups they belong to rather than roles they assume.
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 18
STAKEHOLDER MODEL
Individuals have different cultural biases and have different perceptions of risk– computer privacy and security rules are
different in different countries– Singapore, Japan, US, Canada
Grouping stakeholders is not enough for designing IS.
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 19
RISK COMMUNICATION
It is important to know the cultural backgrounds of the stakeholders– how they perceive risks– how they communicate risks– risk communication theory– risk communication model
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 20
RISK COMMUNICATION
Past:– risk communication as one way to general
public from government…– efforts to improve risk communication– to get the message across by describing the
magnitude and balance of the attendant costs and benefits
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 21
RISK COMMUNICATION
The costs and benefits are equally distributed across a society
People do not agree about which events or actions do the most harm or which benefits are more worth seeking.
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 22
RISK COMMUNICATION
US National Research Counsil (1989)
Risk communication is an interactive process of exchange of information and opinion among individuals, groups and institutions. It involves multiple messages about the nature of the risk and other messages, not strictly about risk, that express concerns, opinions and reactions to risk messages or to legal and institutional arrangements for risk management.
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 23
RISK COMMUNICATION
Risk Communication– risks posed to stakeholders on the web are
technological hazards– classical risk communication model:
• sources
• transmitters
• receivers
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 24
CULTURE
Sources
Scientists
Agencies
Interest Groups
Eyewitnesses
Portrayal of Event with symbols, signals and
images by the Sources
Transmitters
Media
Institutions/Agencies
Interest Groups
Opinion Leaders
Receivers
General Public
Affected Organisations/Institutions
Social Groups
Other target audience
Risk
Event
feed
back
Two-way interaction
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 25
Initial Information
HEARCULTURE
SOCIAL FASHIONPERSONAL VALUES
RELATED ATTITUDES
INFLUENCES
Appeal Do not Appeal
UNDERSTAND
BELIEVE
PERSONALIZE
RESPOND
New Information
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 26
Communication The recipient hears the information and then screens it based on
social fashion, personal values, attitudes under the influence from peer groups– cultural forces before understanding the message
Believing involves acceptance that the understanding is correct – the risk is real
Personalisation– the risk event will affect the receiver
Response– decision to take action for protection from risk
Credibility of information sources and transmitters is a key issue in risk communication
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 27
TRUST AND CONFIDENCE VS CREDIBILITY
Trust is an important ingredient in any trade transaction
Trust acts as the mitigating factor for the risks assumed by one party on the party in the trade
As trust increases the risks either reduce or become manageable by the trusting party
Existence of trust also reduces the transaction cost in a trade
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 28
INSTITUTIONAL CREDIBILITY
The social climate pre-sets the conditions under which an institution has to operate to gain and maintain trust
in a positive climate people invest more in trust institutions
in a negative climate people tend to caution and seek to have more control
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 29
Risk Perception, Trust and Credibility
Hypothesis:– once trust and credibility exist in a relationship among the
stakeholders during risk communication, stakeholders do not get involved in the analysis of risk factors individually, and
– information systems security becomes less important to people when dealing with a trustworthy and credible institution.
Personality of the communicator with attributes of ability and integrity are also important in establishing trust.
Overall; message, communicator, institution, and the social context are the major factors in establishing trust within an organization.
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 30
Risk Perception, Trust and Credibility
Inferential analysis:– inverse correlation between trust and security
on the internet– the higher the trust placed on an organization
the lower was the security concern.