HND COMPUTING

UNIT 05 – SECURITY

Introduction to Security
Phil Smith
 LEARNING OUTCOMES

By the end of this unit you will be able to:

LO1 Assess risks to IT security.

LO2 Describe IT security solutions.
LO3 Review mechanisms to control organisational IT security.
LO4 Manage organisational security.

More detail on the wiki.

 ASSESSMENT - CRITERIA

Lets review the assessment criteria.

http://wiki.computing.hct.ac.uk/_media/computing/hnd/l4-u05-
assessment.pdf
 ASSIGNMENTS

• 2 summative assignments
• Each has a formative assignment with feedback.
 STRUCTURE

• 1-2 hours hours of lectures – approx., per week.

• 2 hour of tutorial/lab (approx.),
• Lab work will mostly be individual and in small groups.
• Additional independent study.

• The timings are a guide only.

 RESOURCES

• Lectures.
• Books (in lab).
• Books in LRC.
• Internet, you have internet access.
• Periodicals etc.
 WHAT THIS UNIT IS ABOUT

• Security is one of the most important challenges modern organisations face.

• Security is about protecting organisational assets, including personnel data,

equipment and networks from attack through the use of prevention techniques
in the form of vulnerability testing/security policies and detection techniques,
exposing breaches in security and implementing effective responses.
 AIMS

• The aim of this unit is to provide you with knowledge of security, associated
risks and how security breaches impact on business continuity.

• You will –
• examine security measures involving
• access authorisation,
• regulation of use,
• implementing contingency plans
• devising security policies and procedures.
 HOW

• Topics included in this unit are

• Network Security design -
• Operational topics -
• address translation,
• DMZ,
• VPN,
• firewalls,
• AV and intrusion
• detection systems -
• Remote access will be covered, as will the need for frequent vulnerability testing as part of
organisational and security audit compliance.
 SKILLS

• You will develop skills such as

1. communication literacy
2. critical thinking
3. analysis
4. reasoning and interpretation

• All of which are crucial for gaining employment and developing academic
competence.
 QUESTIONS ?

• Any questions?
 START

• We shall start with LO1

• LO1 - Assess risks to IT security.

 IT SECURITY RISKS

• Risks:
1. unauthorised use of a system;
2. unauthorised removal or copying of data or code from a system;
3. damage to or destruction of physical system assets and environment;
4. damage to or destruction of data or code inside or outside the system;
5. naturally occurring risks.
 ORGANISATIONAL SECURITY

• Organisational security:
• business continuance;
• backup/restoration of data;
• audits;
• testing procedures e.g.
• data,
• network,
• systems,
• operational impact of security breaches,
• WANs,
• intranets,
• wireless access systems.
 UNDERSTAND RISKS TO IT
SECURITY Task

What types of risk to an organisation’s IT security exist in relation to unauthorised access of organisational data and equipment in
different environments.
Also find examples and situations where unauthorised system access can occur.

Consider -

1. unauthorised use of a system;

2. unauthorised removal or copying of data or code from a system;

Create a new security document then -

• Draw up a list of possible risks. You can work in a group if you wish.

• 15 Minutes

• I will then ask each of you for what you think is the most important risk with your reasoning?
 UNDERSTAND RISKS TO IT
SECURITY Task

Research types of types of security threat and their impact on an organisation.

Consider -

1. Large organisations;
2. MWS;

Add the following to your document.

• Draw up a list of possible threats and their main impact. You can work in a group if you wish.

• 15 Minutes

• I will then ask each of you for one threat and its impact.
 UNDERSTAND RISKS TO IT
SECURITY Task

Research what ways can IT be used to detect unauthorised access – benefits and
drawbacks?

Add the following to your document.

• Draw up a list of possible threats and their main impact. You can work in a group if you wish.

• 15 Minutes

• I will then ask each of you for one detection method.

 TYPES OF RISK (EXAMPLES)

• unauthorised use of a system without damage to data,

• unauthorised removal or copying of data or code from a system,
• damage to or destruction of physical system assets and environment
• damage to or destruction of data or code inside or outside the system
• naturally occurring risks
 EXAMPLES

• Variety of threats described, largely malware but includes deliberate

attack (cuts) to fibre cable in San Jose, California 2009.
• Logic bomb – Omega engineering 1996
• Fraud Citibank 1994
• Information warfare alert 1998 (false alarm)
• Various other malware
 CATEGORISING THREAT TYPES

Different ways to categorise:

• Origin: Internal vs external
• Sophistication: ‘Script kiddies’ vs elite hackers (vs nation states)
• Organisation: unstructured vs highly structured
 DIFFERENT TYPES

• Malware
• Intruders
• Insiders
• Criminal organisations
• Terrorists
• Information warfare
 TRENDS

Main-frame -> portable devices

Computing power increasing
Level of knowledge required decreasing (script kiddies)
Level of sophistication increasing
Number of potential attackers increasing
CSI Computer Crime and Security Survey (www.gocsi.com) generated by
FBI & Computer Security Institute (CSI)
 LOSSES

Difficult to quantify
Direct loss – fraud
Loss of proprietary information
Loss of business through outage
Damage to reputation
Repair costs
 REASONS FOR ATTACK

“You are a business, you have data, data is worth

having…”
• Specifically targeted
• Random
• Opportunistic
 SUMMARY

• What have you learnt today – over to you!