Upload
sommerville-videos
View
310
Download
7
Embed Size (px)
DESCRIPTION
Discusses individual and organisational strategies to improve cybersecurity Accompanies YouTube video
Citation preview
Making systems more secure, 2013 Slide 1
Making systems more secure
• Strategies that can be used to improve cybersecurity
Making systems more secure, 2013 Slide 2
Improving cybersecurity• Deterrence
– Increase the costs of making an attack on your systems
• Awareness– Improve awareness of all system users of security
risks and types of attack
Making systems more secure, 2013 Slide 3
Improving cybersecurity• Procedures
– Design realistic security procedures that can be followed by everyone in an organisation (including the boss)
• Monitoring and logging– Monitor and log all system operations
Making systems more secure, 2013 Slide 4
Deterrence• It is impossible to develop a completely secure
personal, business and government system. If an attacker has unlimited resources and motivation, it will always be possible to invoke some attacks on a given system.
Making systems more secure, 2013 Slide 5
Deterrence• However, attackers NEVER have unlimited
resources and motivation so, an aim of security is to increase the costs of making a successful attack to such an extent that attackers will (a) be deterred from attacking and (b) will abandon attempted attacks before they are successful
Making systems more secure, 2013 Slide 6
Diverse authentication systems
• Use strong passwords and multiple forms of authentication
• Login/password + personal question or biometric
• Attacker has to break two levels of authentication to gain access
Making systems more secure, 2013 Slide 7
Firewalls
Making systems more secure, 2013 Slide 8
Encryption
• Use https protocol to encrypt information whilst in transit across the Internet
• Encrypt confidential information stored on your system
Making systems more secure, 2013 Slide 9
Password security
Making systems more secure, 2013 Slide 10
Password security
• Password strength measurement– https://passfault.appspot.com/password
_strength.html#menu
• Calculates how long it would take to break a password using a brute force attack, using a standard PC
Making systems more secure, 2013 Slide 11
Making systems more secure, 2013 Slide 12
Making systems more secure, 2013 Slide 13
Making systems more secure, 2013 Slide 14
Making systems more secure, 2013 Slide 15
Encryption• Encryption is the process of encoding information in
such a way that it is not directly readable. A key is required to decrypt the information and understand it
• A systematic transformation is applied to the information, based on the key, to transform it to a different form.
• The original information can only be recovered if the reader has the key that can be used to reverse the transformation
Making systems more secure, 2013 Slide 16
Example of encryption here
Making systems more secure, 2013 Slide 17
• Used sensibly, encryption can contribute to cybersecurity improvement but is not an answer in itself
– Security of encryption keys
– Inconvenience of encryption leads to patchy utilisation and user frustration
– Risk of key loss or corruption – information is completely lost (and backups don’t help)
– Can make recovery more difficult
Making systems more secure, 2013 Slide 18
Awareness
• Educate users into the importance of cyber security and provide information that supports their secure use of computer systems
• Be open about incidents that may have occurred
Making systems more secure, 2013 Slide 19
Awareness
• Take into account how people really are rather than how you might like them to be
• People have human failings and inevitably will make mistakes
Making systems more secure, 2013 Slide 20
• Bad security advice– Many security guidelines and rules are
unrealistic and cannot be followed in practice by users
– Use a different password for every website you visit
Making systems more secure, 2013 Slide 21
• Good security advice– If you use the same password for everything,
an attacker can get access to your accounts if they find that out
– Use a different passwords for all online bank accounts and only reuse passwords when you don’t really care about the accounts
Making systems more secure, 2013 Slide 22
Procedures• Businesses should design appropriate
procedures based around the value of the assets that are being protected
• If you simply apply the most secure procedures to all information, this will disrupt work and users are more likely to try to circumvent these procedures
Making systems more secure, 2013 Slide 23
• If information is not confidential, then it often makes sense to make it public
• This reduces the need for users to authenticate to access the information
Making systems more secure, 2013 Slide 24
• Cybersecurity awareness procedures for all staff including the most senior management
• Recognise reality – people will use phones and tablets and derive procedures for their safe use
Making systems more secure, 2013 Slide 25
Monitoring and logging
• Monitoring and logging means that you record all user actions and so keep track of all accesses to the system
Making systems more secure, 2013 Slide 26
• Use tools to scan log frequently looking for anomalies
• Can be an important deterrent to insider attacks if attackers know that they have a chance of being discovered through the logging system
Making systems more secure, 2013 Slide 27
Summary
• Improving cybersecurity depends on– Deterrence
– Awareness
– Effective procedures
– Monitoring and logging